The Router OS designed and build by MikroTik, gives the customers and users, endless software/hardware configuration related to internet addresses and data traffic. Companies and end users make their choice, buying products supporting Router OS by reason of reducing costs and investment in the similar expensive equipment from different brands for certain purpose. Competitive advantages are on first place costs, similar performance and high level of customization claimed by Burgess (2009, p. 18).
Taking under consideration as above mentioned, we needed to highlight that there might be some vulnerabilities due to its specific build, hardware support etc. This document will try to provide main vulnerability assessment of the MikroTik Router OS.
Assumptions
The assessment will be covered, using Linux distribution, Wireshark dumps and MikroTik image (5.18) running on virtual machine, dump of the installed image and main inspection of it.
Analysis steps
The system is running in shell mode using text interface for main communication between the users. There are two applications which providing us better user friendly environment for configuration and monitoring - winbox and the dude, these will be discussed later on.
The main screen has interesting copyright logo:
The first thing we need to do is to check the image for what versions of GCC are used. To do that the following command is executed in the terminal:
mihail-PC Desktop # strings -a mikrotik.iso | grep ^GCC: | sort | uniq
GCC: (GNU) 2.7.2.3
GCC: (GNU) 4.4.3
GCC: (GNU) 4.5.0
GCC:x
How we could see, there are random versions of GCC used. This will highlight that we observe not so clean source code or presumably this is noticeable, if we execute the command without any sorting. But if we comparing this output with older images, the code is improved.
Next is to mount the image (made by using the command: dd if=/dev/sba/ of=/home/mihail/Desktop/mikrotik.iso). The mounting command is used for further exploring the image:
mihail-PC Desktop # mkdir /mnt/mikrotik
mihail-PC Desktop # mount -o loop /home/mihail/Desktop/mikrotik.iso /mnt/mikrotik
and the journaling file system is ext3 used by MikroTik:
mihail-PC Desktop # /sbin/fdisk -l -u mikrotik.iso
Disk mikrotik.iso: 7756 MB, 7756438528 bytes
255 heads, 63 sectors/track, 942 cylinders, total 15149294 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x040a2c07
This doesn't look like a partition table
Probably you selected the wrong device.
Device Boot Start End Blocks Id System
mikrotik.iso1 ? 179327171 3148873386 1484773108 e8 Unknown
mikrotik.iso2 ? 4288735264 4288785271 25004 58 Unknown
mihail-PC Desktop # dmesg | tail -n 6
[ 21.054684] wlan0: associated
[ 21.055630] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 21.347535] init: plymouth-stop pre-start process (2205) terminated with status 1
[ 591.090886] kjournald starting. Commit interval 5 seconds
[ 591.091063] EXT3-fs (loop0): using internal journal
[ 591.091066] EXT3-fs (loop0): mounted filesystem with ordered data mode
The list of all files is long (2255), therefore it cannot be applied in this document, but the command for this list is: mihail-PC mikrotik # find . Revealing also all the hidden files.
From this list some files are interesting such as:
./home/web/telnet.jpg
./home/web/winbox.png
./home/web/winbox/roteros.dll
./home/web/winbox/system.dll
./home/web/winbox/system.info
These files will be discussed in the next paragraphs.
Further exploring of the image, shows that most of the kernel modules, are custom ones due to their non-standard filenames and different authors. The following command is used in terminal to show us this list:
mihail-PC mikrotik # find . -type f -iname *o -exec modinfo '{}' ;
This list is also long (9844 lines) and therefore it cannot be applied in this document.
Next is the Wireshark capture which shows us that we have a broadcast from the router over the network by default settings:
338 59.999842000 192.168.56.2 255.255.255.255 MNDP 131
0000 ff ff ff ff ff ff 08 00 27 7f 95 e3 08 00 45 00 ........ '.....E.
0010 00 75 00 00 40 00 40 11 65 c1 c0 a8 14 0f ff ff .u..@.@. e.......
0020 ff ff 16 2e 16 2e 00 61 3b 9a 03 00 00 00 00 01 .......a ;.......
0030 00 06 08 00 27 7f 95 e3 00 05 00 08 4d 69 6b 72 ....'... ....Mikr
0040 6f 54 69 6b 00 07 00 04 35 2e 31 38 00 08 00 08 oTik.... 5.18....
0050 4d 69 6b 72 6f 54 69 6b 00 0a 00 04 bb 00 00 00 MikroTik ........
0060 00 0b 00 09 57 35 45 59 2d 4c 48 54 39 00 0c 00 ....W5EY -LHT9...
0070 03 78 38 36 00 0e 00 01 01 00 10 00 06 65 74 68 .x86.... .....eth
0080 65 72 31 er1
The MNDP is stands for MikroTik Neighbor Discovery Protocol, this reveals vital information for the running software (version, platform in this case is a PC x86, interface name, license version which could be seen on the main console screen):
MikroTik 5.18 W5EY-LHT9 x86 ether1. In my opinion this could be vulnerability due to existing exploits for this particular version of MikroTik.
339 59.999842000 192.168.56.2 255.255.255.255 CDP 93
0000 01 00 0c cc cc cc 08 00 27 7f 95 e3 00 4f aa aa ........ '....O..
0010 03 00 00 0c 20 00 01 78 08 52 00 01 00 0c 4d 69 .... ..x .R....Mi
0020 6b 72 6f 54 69 6b 00 02 00 11 00 00 00 01 01 01 kroTik.. ........
0030 cc 00 04 c0 a8 14 0f 00 03 00 0a 65 74 68 65 72 ........ ...ether
0040 31 00 04 00 08 00 00 00 01 00 05 00 08 35 2e 31 1....... .....5.1
0050 38 00 06 00 0c 4d 69 6b 72 6f 54 69 6b 8....Mik roTik
If the web interface is used man in the middle attack could take place, due to obtaining the username of the logging person or furthermore cookie stealing, DoS.
GET /mikrotik_logo.png HTTP/1.1
Host: 192.168.56.2
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:17.0) Gecko/17.0 Firefox/17.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.56.2/
Cookie: username=admin
If the winbox interface tool is used we observe interesting loading of libraries from the router to the client. On the first communication after authentication and authorization, after the TCP handshake (by default winbox is using port number 8291) the following TCP stream shows the picture:
index
2186972320 635044 roteros.dll 5.18
189682468 31009 advtool.dll 5.18
3825751379 35248 dhcp.dll 5.18
1067483154 38357 hotspot.dll 5.18
1782698178 39435 ipv6.dll 5.18
2504207432 28210 isdn.dll 5.18
3379136678 31419 kvm.dll 5.18
3362759098 2..8718 lcd.dll 5.18
102353183 38558 mpls.dll 5.18
2051061949 29025 ntp.dll 5.18
3384587699 34540 pim.dll 5.18
3674202922 41792 ppp.dll 5.18
4028915912 30897 rb.dll 5.18
1552865830 53647 roting4.dll 5.18
956768923 44169 secure.dll 5.18
3853381473 4848 systemG.dll 5.18
320278743 29567 ups.dll 5.18
3306910964 59316 wlan4.dll 5.18
These libraries (first column presumably is the checksum, followed by file size, name, and version) could provide the attacker chance to attack the client side of the communication between. The complete list of libraries is situated in /mnt/mikrotik/home/web/winbox
mihail-PC winbox # ls -alFh
total 1.6M
drwxr-xr-x 2 root root 4.0K Nov 29 21:40 ./
drwxr-xr-x 10 root root 4.0K Nov 29 21:13 ../
-rwxr-xr-x 1 root root 35 Jun 21 09:14 00roteros.info*
-rwxr-xr-x 1 root root 31K Jun 18 16:01 advtool.dll*
-rwxr-xr-x 1 root root 33 Jun 18 16:01 advtool.info*
-rwxr-xr-x 1 root root 35K Jun 18 16:03 dhcp.dll*
-rwxr-xr-x 1 root root 31 Jun 18 16:03 dhcp.info*
-rwxr-xr-x 1 root root 38K Jun 18 16:08 hotspot.dll*
-rwxr-xr-x 1 root root 34 Jun 18 16:08 hotspot.info*
lrwxrwxrwx 1 root root 15 Nov 29 21:05 index -> /ram/winbox.idx
-rwxr-xr-x 1 root root 39K Jun 18 16:07 ipv6.dll*
-rwxr-xr-x 1 root root 31 Jun 18 16:07 ipv6.info*
-rwxr-xr-x 1 root root 28K Jun 18 16:32 isdn.dll*
-rwxr-xr-x 1 root root 31 Jun 18 16:32 isdn.info*
-rwxr-xr-x 1 root root 31K Jun 18 16:34 kvm.dll*
-rwxr-xr-x 1 root root 30 Jun 18 16:34 kvm.info*
-rwxr-xr-x 1 root root 29K Jun 18 16:32 lcd.dll*
-rwxr-xr-x 1 root root 30 Jun 18 16:32 lcd.info*
-rwxr-xr-x 1 root root 38K Jun 18 16:07 mpls.dll*
-rwxr-xr-x 1 root root 30 Jun 18 16:07 mpls.info*
-rwxr-xr-x 1 root root 29K Jun 18 16:16 ntp.dll*
-rwxr-xr-x 1 root root 30 Jun 18 16:16 ntp.info*
-rwxr-xr-x 1 root root 34K Jun 18 16:22 pim.dll*
-rwxr-xr-x 1 root root 30 Jun 18 16:22 pim.info*
-rwxr-xr-x 1 root root 41K Jun 18 16:04 ppp.dll*
-rwxr-xr-x 1 root root 30 Jun 18 16:04 ppp.info*
-rwxr-xr-x 1 root root 31K Jun 18 16:16 rb.dll*
-rwxr-xr-x 1 root root 29 Jun 18 16:16 rb.info*
-rwxr-xr-x 1 root root 621K Jun 21 09:14 roteros.dll*
-rwxr-xr-x 1 root root 53K Jun 18 16:06 roting4.dll*
-rwxr-xr-x 1 root root 34 Jun 18 16:06 roting4.info*
-rw-r--r-- 1 root root 91K Nov 29 21:20 s.dll
-rwxr-xr-x 1 root root 44K Jun 18 16:02 secure.dll*
-rwxr-xr-x 1 root root 32 Jun 18 16:02 secure.info*
-rwxr-xr-x 1 root root 4.8K Jun 18 15:56 system.dll*
-rwxr-xr-x 1 root root 32 Jun 18 15:56 system.info*
-rwxr-xr-x 1 root root 29K Jun 18 16:16 ups.dll*
-rwxr-xr-x 1 root root 29 Jun 18 16:16 ups.info*
-rwxr-xr-x 1 root root 112K Jun 21 17:22 winbox.exe*
-rwxr-xr-x 1 root root 58K Jun 18 16:12 wlan4.dll*
-rwxr-xr-x 1 root root 32 Jun 18 16:12 wlan4.info*
Next step is to check the default open ports of the Router OS. This could be seen using the command in the terminal if the nmap is already installed:
mihail-PC mihail # nmap -sS -A 192.168.56.2 -TInsane -oA /tmp/nmap -p 1-65535
# Nmap 6.00 scan initiated Mon Dec 10 09:23:11 2012 as: nmap -sS -A -TInsane -oA /tmp/nmap -p 1-65535 192.168.56.2
Nmap scan report for 192.168.56.2
Host is up (0.00052s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp MikroTik router ftpd 5.18
22/tcp open ssh MikroTik RouterOS sshd (protocol 2.0)
|_ssh-hostkey: 1024 48:4b:a9:d7:34:d9:22:f8:29:d3:0a:7d:ed:b2:19:2e (DSA)
23/tcp open telnet Linux telnetd
53/tcp open domain Mikrotik RouterOS named or OpenDNS Updater
80/tcp open http MikroTik router config httpd
|_http-title: RouterOS router configuration page
| http-robots.txt: 1 disallowed entry
|_/
|_http-methods: No Allow or Public header in OPTIONS response (status code 503)
2000/tcp open bandwidth-test Mikrotik bandwidth-test server
8291/tcp open unknown
MAC Address: 08:00:27:3F:DB:11 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.19 - 2.6.35
Network Distance: 1 hop
Service Info: OSs: Linux, RouterOS; Device: router; CPE: cpe:/o:linux:kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.52 ms 192.168.56.2
That is obvious is by default the open ports are 21, 22, 23, 53, 80, 2000, 8291. Port 8291 is used by winbox is changeable as the other listed, in earlier versions of Router OS this option is not available, but if the nmap is used this could not work for security measures.
Cite This Work
To export a reference to this article please select a referencing style below: