A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Bug Hunting in RouterOS - Jacob Baines Derbycon 2018 (Hacking Illustrated Series InfoSec Tutorial Videos)

Bug Hunting in RouterOS
Jacob Baines
Derbycon 2018

RouterOS is the “operating system” that router manufacturer Mikrotik built on top of Linux for their embedded devices.Typically, when researchers think of embedded devices they think of simple interfaces and easy-to-find vulnerabilities. However, this isn’t the case with RouterOS. The OS is rich with features you’d expect to find in more expensive Cisco models and it’s been largely protected from bug hunters due to the proprietary protocols it uses with its web client (webfig) and its thick client (winbox). Some APT events like Slingshot and VPNFilter prove that RouterOS is a valuable target. By exploiting vulnerabilities in RouterOS, attackers gain a privileged position in the victim’s network. Yet, there is no public tooling to aid in finding vulnerabilities in RouterOS. In this presentation, I will breakdown Mikrotik’s proprietary protocols and show the audience how to find bugs deep within the system. In this talk, I'll show the audience how to negotiation communication with RouterOS's webfig and break down the proprietary protocol that routes packets through the system. I'll combine what we've learned by showing off an authenticated stack buffer overflow that Tenable found in RouterOS. Note to Review Board: I have a specific authenticated stack buffer overflow I plan to demonstrate. We have already disclosed the vulnerability to Mikrotik and it should be patched (or outside of Tenable’s 90-day disclosure policy) by the time DerbyCon rolls around.

Jacob is the team lead of Tenable's new zero day research team. Previously, he was working as a reverse engineer on Tenable's Nessus project.


Back to Derbycon 2018 video list

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast