ASA-2020-00001 – MikroTik WinBox: Path traversal vulnerability in the parameter name from the list of files

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2020-00001

Identifier(s)

ASA-2020-00001, CVE-2020-5720, TRA-2020-07

Title

Path traversal vulnerability in the parameter name from the list of files

Vendor(s)

MikroTik

Product(s)

MikroTik WinBox

Affected version(s)

MikroTik WinBox before version 3.21

Fixed version(s)

MikroTik WinBox version 3.21

Proof of concept

Yes

Description

MikroTik WinBox before 3.21 is vulnerable to a path traversal issue that allows an attacker to write files anywhere on the system where WinBox has write privileges.

Technical details

When WinBox connects to a router, it downloads the list file from /home/web/webfig/. This file contains a list of files that WinBox should download in order to obtain package descriptions. WinBox downloads these files and stores them on the client’s system within the MikroTik roaming directory:

C:\Users [username]\AppData\Roaming\Mikrotik\Winbox.

The name of the created files come directly from the downloaded list file. For example, this is a line from list:

{ crc: 164562873, size: 1149, name: "advtool.jg", unique: "advtool-fc1932f6809e.jg", version: "6.39.3" }

WinBox will use the name “advtool.jg” as the filename in the roaming directory. However, WinBox doesn’t do any type of checking for directory traversal on these files. So if presented with:

{ crc: 164562873, size: 1149, name: "../../../../../../../Users/Public/lol.txt", unique: "advtool-fc1932f6809e.jg", version: "6.39.3" }

Then WinBox would create the file C:\Users\Public\lol.txt and fill it with contents provided by the attacker.

An attacker can exploit this bug by getting a victim to connect to a malicious MikroTik router, a fake router (see the PoC for CVE-2019-3981), or via a man in the middle attack. The attacker can then perform the downgrade attack described in TRA-2020-01. The client will then try to download the files from the attacker.

Credits

Jacob Baines (Tenable Research)

Reference(s)

MikroTik WinBox Path Traversal
https://www.tenable.com/security/research/tra-2020-07

winbox_drop_file.py
https://github.com/tenable/routeros/blob/master/poc/cve_2020_5720/winbox_drop_file.py

winbox_server.py
https://github.com/tenable/routeros/blob/master/poc/cve_2019_3981/winbox_server.py

Winbox v3.21 released!
https://forum.mikrotik.com/viewtopic.php?f=21&t=157150

MikroTik WinBox Man-in-the-Middle Password Hash Disclosure
https://www.tenable.com/security/research/tra-2020-01

CVE-2020-5720
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5720

CVE-2020-5720
https://nvd.nist.gov/vuln/detail/CVE-2020-5720

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 7, 2020

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.