关联漏洞
标题:
N/A
(CVE-2024-54772)
描述:在MikroTik RouterOS 版本 v6.43 到 v7.16.1 的 Winbox 服务中发现了一个问题。攻击者可以通过观察使用有效用户名和无效用户名进行连接尝试时响应时间的差异,枚举出有效的账户。
描述
This repo contains the exploit for CVE-2024-54772 which can enumerate valid usernames in Mikrotik routers running RouterOS
介绍
# CVE-2024-54772 (MikroTik-RouterOS Username Enum)
This repo contains the exploit for **CVE-2024-54772** which can enumerate valid usernames in Mikrotik routers running RouterOS **v6.43** through **v7.17.1**.
**"mikrotik_routeros_username_enum.py"** Usage: `python3 mikrotik_routeros_username_enum.py <username> <target>`. The outpus will be either a valid or invalid username.
**"mikrotik_routeros_username_enum_wordlist.py"** Usage: `python3 mikrotik_routeros_userenum_wordlist.py <wordlist_path> <target1,target2,...>`. The output will be all the valid usernames for every router ip entered.
Please, note that every username is sent in a seperate tcp session because RouterOS doesn't respond to the requests sent after 3 tries in the same tcp session.
**Reference:** https://www.cve.org/CVERecord?id=CVE-2024-54772
#########################REPORT and PoC###########################
I was able to spot this bug after I developed the Nmap servcie probe that can identify WinBox service running on port 8291. After Inspecting many responses of many routers ranging from version 6.43 through 7.17.1, I was able to notice the discripensy in the response between valid and invalid usernames. The following will be the illustration:
Vulnerability PoC
Using WinBox Client

The router that I have access to is with version 6.49.15. As we can see from the image, the valid users in the router are “prop” and “admin”. The IP of the router is x.x.96.50.

We will try to send a login request to the router with a username “any”.

The picture above is a representation of the packet with username “any”.

The response comes with 35 bytes.

Now, let us try a valid user. Here “prop”

The picture above is the representation for the packet with the username “prop”.

The response will be with 51 bytes. This shows that the username “prop” is valid.
Next, we will try to do this with Netcat on a router that I do not have access to. This router is running the current version of RouterOS, which is 7.16.1.
Using Netcat

We have a random target with IP x.x.239.7 and with RouterOS version 7.16.1!

We will initiate a request with user “any”.

The picture above is a representation of the packet sent by Netcat with the username “any”.

The response will be with 35 bytes.

Now let us try with one of the most common usernames, which is “admin”.

The picture above is a representation of the packet sent by Netcat with the username “admin”

The response will be 51 bytes also!!
So, when the router responds with 35 bytes, the username is invalid. When it responds with 51 bytes, the username is valid.
Therefore, this security issue can be exploited through WinBox client and in an automated fashion. It targets all RouterOS versions, in both trees the long-term and the stable releases, that support WinBox non-legacy authentication mode including the current one. So, from RouterOS version 6.43 until the current which is 7.16.1 in the stable releases tree and this vulnerability also exists in the current version of the long-term tree which is 6.49.13!
According to MITRE’s CWE database, the type of this weakness is called “CWE-204: Observable Response Discrepancy”.
文件快照
[4.0K] /data/pocs/c1e9844f574b80ca18e65f38cae8fb1c1d180b2f
├── [1.3K] mikrotik_routeros_username_enum.py
├── [2.9K] mikrotik_routeros_username_enum_wordlist.py
└── [4.4K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。