What does Misfortune Cookie have to do with TR-069? We began this research by surveying client-side implementations of TR-069 <http://en.wikipedia.org/wiki/TR-069> (CWMP), after noticing the extreme prevalence <https://zmap.io/paper.pdf%22> of endpoints listening on the default CWMP Connection-Request port (7547), second only to HTTP (port 80) listening endpoints. Misfortune Cookie was uncovered during the examination of RomPager - the most popular recognized service on this port.
Is this a problem with the TR-069 protocol specification? While the proliferation of devices managed by TR-069 is responsible for creating a very large vulnerable client population, Misfortune Cookie is not a vulnerability related to the TR-069/CWMP per se. Misfortune Cookie affects any implementation of a service using the old version of RomPager’s HTTP parsing code, on port 80, 8080, 443, 7547, and others. http://mis.fortunecook.ie/ <http://mis.fortunecook.ie/> Justin Miller VA SkyWire, LLC 1707 E Main St Richmond, VA 23223 Office: (804) 521-4212 Desk: (804) 591-0500 ext 101 Fax: (804) 591-1559 [email protected] <mailto:[email protected]> > On Dec 23, 2014, at 12:00 PM, Brough Turner <[email protected]> wrote: > > No it's an issue with the RomPager embedded web server software from Allegro > Software. > See: > > http://www.prweb.com/releases/misfortunecookie/allegrosoft/prweb12409335.htm > <http://www.prweb.com/releases/misfortunecookie/allegrosoft/prweb12409335.htm> > > https://www.allegrosoft.com/allegro-software-urges-manufacturers-to-maintain-firmware-for-highest-level-of-embedded-device-security/news-press.html > > <https://www.allegrosoft.com/allegro-software-urges-manufacturers-to-maintain-firmware-for-highest-level-of-embedded-device-security/news-press.html> > > MikroTik does not use this software but some models by ASUS, D-Link, Edimax, > Huawei, TP-Link, ZTE, and ZyXEL do. > > Thanks, > Brough > > Brough Turner > netBlazr Inc. – Free your Broadband! > Mobile: 617-285-0433 Skype: brough > netBlazr Inc. <http://www.netblazr.com/> | Google+ > <https://plus.google.com/102447512447094746687/posts?hl=en> | Twitter > <https://twitter.com/#%21/brough> | LinkedIn > <http://www.linkedin.com/in/broughturner> | Facebook > <http://www.facebook.com/brough.turner> | Blog > <http://blogs.broughturner.com/> | Personal website > <http://broughturner.com/> > > > > On Tue, Dec 23, 2014 at 11:54 AM, Justin Miller <[email protected] > <mailto:[email protected]>> wrote: > No it’s an issue with TR-069 which is not part of RouterOS. > > > Justin Miller > > VA SkyWire, LLC > 1707 E Main St > Richmond, VA 23223 > Office: (804) 521-4212 <tel:%28804%29%20521-4212> > Desk: (804) 591-0500 ext 101 <tel:%28804%29%20591-0500%20ext%20101> > Fax: (804) 591-1559 <tel:%28804%29%20591-1559> > [email protected] <mailto:[email protected]> >> On Dec 23, 2014, at 11:25 AM, Joey Craig <[email protected] >> <mailto:[email protected]>> wrote: >> >> Misfortune Cookie vulnerability affects 12 million routers | CSO Online >> >> http://www.csoonline.com/article/2862378/malware-cybercrime/misfortune-cookie-vulnerability-affects-12-million-routers.html >> >> <http://www.csoonline.com/article/2862378/malware-cybercrime/misfortune-cookie-vulnerability-affects-12-million-routers.html>_______________________________________________ >> Mikrotik-users mailing list >> [email protected] <mailto:[email protected]> >> http://lists.wispa.org/mailman/listinfo/mikrotik-users >> <http://lists.wispa.org/mailman/listinfo/mikrotik-users> > > > _______________________________________________ > Mikrotik-users mailing list > [email protected] <mailto:[email protected]> > http://lists.wispa.org/mailman/listinfo/mikrotik-users > <http://lists.wispa.org/mailman/listinfo/mikrotik-users> > > _______________________________________________ > Mikrotik-users mailing list > [email protected] > http://lists.wispa.org/mailman/listinfo/mikrotik-users
_______________________________________________ Mikrotik-users mailing list [email protected] http://lists.wispa.org/mailman/listinfo/mikrotik-users
