Menu
What's new
By:
Filters Better Search

Mikrotik and Slingshot Hack

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

C

coxhaus

Part of the Furniture
I saw this a about a week back and I have not seen any thing on this site about the problems with Mikrotik and slingshot. Did I miss it?

My understanding there is a big hack if you are not running the latest software and winbox software. I think there is a hack in the software and in winbox. The old winbox allows a hacker to install bad DLLs in a Windows PC to where you need to reinstall your Windows PC. I don't own a Mikrotik router so I am no expert. I think there are some experts on Mikrotik on this site. Maybe they can fill us in.
 
Last edited:
My understanding with this hack is if you ever used an old version of winbox you need to wipe your Windows PC and install from scratch. Slingshot has been out in the wild for a long time. So most Mikrotik routers have been infected. Slingshot loads DLLs on to the Mikrotik router which just sit there. Once the router is accessed with Winbox it loads the DLLs onto the Windows PC and it becomes infected.
 
It wasn't the router itself, it was the windows application that managed it...

Disclosure of that vulnerability actually impacted certain military activities in those regions
 
more specifically if you dont set your router rules right, a hacker will upload some files to it that is downloaded and run from winbox. So as long as your router is secured by the right rules you'll be fine.
 
sfx2000 said:
It wasn't the router itself, it was the windows application that managed it...

Disclosure of that vulnerability actually impacted certain military activities in those regions
Click to expand...

The router is where the bad DLLs were stored. Yes the windows application did the dirty deed with the bad DLLs.
 
System Error Message said:
more specifically if you dont set your router rules right, a hacker will upload some files to it that is downloaded and run from winbox. So as long as your router is secured by the right rules you'll be fine.
Click to expand...

What do you need to do on a Mikrotik router to protect yourself from the bad DLLs being written on the router?
 
coxhaus said:
What do you need to do on a Mikrotik router to protect yourself from the bad DLLs being written on the router?
Click to expand...
Just prevent any sort of access. make sure you drop inputs on multiple levels if your WAN consists of multiple interface (i.e. PPPOE, VLANs, etc + physical port too).

2nd thing is make sure your own network is not infected on the LAN site. An infected PC could give someone access to your network too.

Dont use default usernames and passwords.

Lastly, keep routerOS updated (a big flaw with the RB750gr3 from my experience as it had too little flash that it corrupted itself whenever you updated it).

Dont use unthrustworthy services like unthrustworthy DNS and NTP services. Perform hijacking of such services to force the use of using your router's own service rather than outside.
 
System Error Message said:
Just prevent any sort of access. make sure you drop inputs on multiple levels if your WAN consists of multiple interface (i.e. PPPOE, VLANs, etc + physical port too).

2nd thing is make sure your own network is not infected on the LAN site. An infected PC could give someone access to your network too.

Dont use default usernames and passwords.

Lastly, keep routerOS updated (a big flaw with the RB750gr3 from my experience as it had too little flash that it corrupted itself whenever you updated it).

Dont use unthrustworthy services like unthrustworthy DNS and NTP services. Perform hijacking of such services to force the use of using your router's own service rather than outside.
Click to expand...

This sounds like normal stuff for any router. How did slingshot attack Mikrotik specifically?
 
coxhaus said:
This sounds like normal stuff for any router. How did slingshot attack Mikrotik specifically?
Click to expand...
older versions of winbox used to download files from the router, this does not happen anymore in newer versions. routerOS also ships with winbox on the router itself so updating helps too.
 
I read a lot of the thread and sounds Mikrotik is not interested in really helping anybody even though their router was exploited which caused people's machines to become infected.

I guess if you buy a Mikrotik you need to expect no help even on security matters with their routers. You are on your own.
 
coxhaus said:
The router is where the bad DLLs were stored. Yes the windows application did the dirty deed with the bad DLLs.
Click to expand...

Always makes me wonder - make some code in useful DLL's, but when it's combined with a framework, it becomes something very different...

ROP at it's best...

(ROP - Return-Oriented Programming - we can place items on the stack and reassemble them from there in memory to make something completely different)
 
coxhaus said:
I read a lot of the thread and sounds Mikrotik is not interested in really helping anybody even though their router was exploited which caused people's machines to become infected.

I guess if you buy a Mikrotik you need to expect no help even on security matters with their routers. You are on your own.
Click to expand...

the bug is not in the router code directly - it's in the management software that runs on Windows...
 
There must of been a problem with the router code to allow the bad DLLs on the router in the first place. The Winbox was only the transport.
 
coxhaus said:
There must of been a problem with the router code to allow the bad DLLs on the router in the first place. The Winbox was only the transport.
Click to expand...

To exploit the problem, one must connect to the router via it's API/winbox port , so if you had done your security in the first place by preventing remote access this would be prevented. If you used a consumer router and allowed WAN access and used default credentials, would the brand of the router be responsible?

Dlink is far worse, they were hackable without requiring credentials and you could do it from WAN too. They did not compensate the victims of their bad designs. I dont exactly say mikrotik is good or bad, just that this flaw is only exploitable if you had an older version and did not properly secure your firewall. A lot of flaws that are found in routers are from the LAN side that wouldnt normally be accessible without an infected internal machine or physical access.

Mikrotik is hackable, but in a good way just like with android and iOS. You can gain developer shell but only by booting it with openwrt to modify some files. I once heard someone using a CCR1036 for media encoding, getting near wirespeed encoding speeds.

Edit: after reading, it appears this is a very old problem where sellers/distributors would load malware onto the router itself (can be done on any router if you have physical access), this malware would either be something that is run on the router (such as via developer shell and installing and hiding stuff) or via DLL files through winbox. So this is basically the case where a supplier has done something illegal.
 
You must log in or register to reply here.

Similar threads

A
Setting up AX68U with Mikrotik ATL LTE18 ...
Replies
1
Views
185
Aziron5
A
D
Asus GT-AX11000 - Dual WAN Issues - Does Merlin Resolve?
Replies
17
Views
941
Ranger802004
R
C
Aruba vs Cisco vs TP Link Omada vs Unifi Access Points
2
Replies
31
Views
1K
Tech9
Tech9
P
ASUS ZenWifi XT8 and XD5 issue with 2.4GHz clients
Replies
2
Views
941
peterdze
P
R
Diversion Diversion and Ubisoft Connect - how to find out what is the problematic block?
Replies
5
Views
242
RouterNoob93
R

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 730 (members: 26, guests: 704)
Top