MikroTik RouterOS - sshd (ROSSSH) Unauthenticated Remote Heap Corruption

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1065164 漏洞类型
发布时间 2013-09-03 更新时间 2013-09-03
CVE编号 N/A CNNVD-ID N/A
漏洞平台 Hardware CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/28056
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
During an audit the Mikrotik RouterOS sshd (ROSSSH) has been identified to have a remote previous to authentication heap corruption in its sshd component.

Exploitation of this vulnerability will allow full access to the router device.

This analysis describes the bug and includes a way to get developer access to recent versions of Mikrotik RouterOS
using the /etc/devel-login file. This is done by forging a modified NPK file using a correct signature and logging
into the device with username ‘devel’ and the password of the administrator. This will drop into a busybox shell for
further researching the sshd vulnerability using gdb and strace tools that have been compiled for the Mikrotik busybox
platform.

Shodanhq.com shows >290.000 entries for the ROSSSH search term.

The 50 megs Mikrotik package including the all research items can be downloaded here: 

http://www.farlight.org/mikropackage.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/28056.zip