There are several ways to send internal IPC messages as a user of RouterOS. And from there, it is fairly easy to pivot into a ropchain and do something more sophisticated. So clearly, if we can send a controlled message that hits this handler, we can invoke any function we want. Inspecting the actual functions inside handler #2 of /nova/bin/www, we find a function called FoisHandler::cmdUnknown that gets run when these types of messages are received.Īmazingly, this function pulls out parameter 0x11 from the message and invokes it as a function using two of the other parameters as arguments! Specifically, we found a message that was being sent from the Additionally, we noticed that two of the arguments seemed to be virtual pointers (32-bit x86) which piqued our interest because it was very unusual. These servlets are libraries that get loaded into /nova/bin/library will get loaded into the memory space.ĭuring this library loading process, we noticed some interesting traffic in the message tracer: The RouterOS web interface is implemented by the /nova/bin/For example, the jsproxy.p servlet handles requests to /jsproxy and the winbox.p servlet handles requests to /winbox, etc. In the following demo, you can see all of the messages exchanged as we paginate through the web interface: notify processes when a client has disconnectsĭuring our reverse engineering efforts, we wrote an internal message tracer tool that allows us to visualize all of the messages exchanged during operation of the router.send frequent updates about process state (e.g.update/retrieve configuration parameters.IPC communication is a crucial part of RouterOS operation. These exist in a pseudo-JSON format (pre 6.38) and a serialized binary format:Įach process has a fixed address inside the RouterOS system for example /nova/bin/user is at address 13 and /nova/bin/For example, /nova/bin/user has a handler at address 4 that acts as the "login" endpoint and performs authentication for other services: The actual data packets are Nova Messages ( nv::message internally). Inside MikroTik's RouterOS, programs communicate with eachother using a custom IPC protocol. Definitely check that out for more details! RouterOS IPC Note: this section is mostly an abbreviated version of our full blog post. In this section we go over some background knowledge about RouterOS IPC and discuss the two vulnerabilities. f /path/to/nova/bin/www How does it work?įOISted leverages two vulnerabilities in RouterOS v6 to enable remote code execution.
0 Comments
Leave a Reply. |