So the lynchpin looks to actually be this ChimayRed tool. It gets you admin access and a prelim shell so that you can upload the rest of the payload.
Perhaps if you just turned the web server off on all of your MTs you would be safe? -- Nathan ________________________________________ From: mikrotik-boun...@mail.butchevans.com <mikrotik-boun...@mail.butchevans.com> on behalf of Nathan Anderson <nath...@fsr.com> Sent: Tuesday, March 7, 2017 1:12 PM To: mikrotik@mail.butchevans.com Subject: Re: [Mikrotik] Quick side question... Looks like ChimayRed is described here: https://wikileaks.org/ciav7p1/cms/page_16385037.html Fascinating. Would love to know the details of what the exploit is. Sounds like a vulnerability in the ROS web server. -- Nathan ________________________________________ From: mikrotik-boun...@mail.butchevans.com <mikrotik-boun...@mail.butchevans.com> on behalf of Nathan Anderson <nath...@fsr.com> Sent: Tuesday, March 7, 2017 1:06 PM To: mikrotik@mail.butchevans.com Subject: Re: [Mikrotik] Quick side question... Based on my use of 'devel', tool/profile probably would not show. This is an interesting page, but it leaves some questions unanswered and also doesn't make sense 100%. "should be hardware-agnostic" -- don't see how; you have to build a separate busybox binary for each arch. As MT comes out with RBs based on new CPU archs, you gotta keep up. Also, I don't see how "implant" can be hardware-ag unless it's just a shell script that relies on busybox? You clearly have to already know the admin credentials for this to work, just like you would with 'devel'. Not sure what "ChimayRed" is. Presumably a tool developed internally. 'devel' has not been patched/"closed". It is still an integral part of ROS and is presumably used by MT developers to this day and kept around for that purpose (development and testing, hence the name). It has also never been enabled by default and you have to go to some lengths to enable it. (There were some security bugs that allowed you to create the devel-login file from a ROS CLI and no other tools required waaaaay in the past...like, the 3.x past. THOSE have been LONG closed, yeah. But 'devel' is absolutely still a thing. I have enabled it on many an x86, MIPS, and PPC RouterOS box running latest 6.x code.) I am also not aware of any way to enable 'devel' without either already knowing the admin login (with the old 3.x holes) or having physical access to the router (current methods). So I'm not sure how this method is better. I have not been able to get devel access on RB3011 (ARM) or CCR (Tile) yet, just because I don't have kernels yet that I can netboot and that have all of the proper hardware support (most important: either console access, USB port access, or single ethernet port, plus drivers for the NAND or SPI). I also don't have a Tile cross-compile environment set up yet either. So this is mildly interesting from that perspective. -- Nathan ________________________________________ From: mikrotik-boun...@mail.butchevans.com <mikrotik-boun...@mail.butchevans.com> on behalf of Eric Tykwinski <eric-l...@truenet.com> Sent: Tuesday, March 7, 2017 12:46 PM To: mikrotik@mail.butchevans.com Subject: [Mikrotik] Quick side question... Don't know if anyone caught the wikileaks release, but there's some Mikrotik stuff in there. https://wikileaks.org/ciav7p1/cms/page_44957707.html Looks like it's your basic busybox shell and a backdoor on the routers, including CCRs. Just wondering if you think tool/profiles would show the process running? Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20170307/728ed0bb/attachment.html> _______________________________________________ Mikrotik mailing list Mikrotik@mail.butchevans.com http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS _______________________________________________ Mikrotik mailing list Mikrotik@mail.butchevans.com http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS _______________________________________________ Mikrotik mailing list Mikrotik@mail.butchevans.com http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS _______________________________________________ Mikrotik mailing list Mikrotik@mail.butchevans.com http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
