06-04, 16:00–17:00 (US/Eastern), Grand Salon
In the wide expanse of router manufacturers and models, there is one reverse engineering target that stands out from the rest: MikroTik. Unlike many routers which run a patchwork of services that vary widely across models and firmware versions, MikroTik maintains a uniform, standardized operating system, RouterOS, which runs across all router models. Customized internal frameworks and proprietary communication protocols offer a challenging, but interesting, reverse engineering landscape. However, the reliance on complex, proprietary infrastructure and the lack of easy access to the core system imposes a high barrier to entry for new reverse engineers. As a result, MikroTik security research has largely remained in obscurity. Until now…
In this talk, we will take an exciting adventure into the depths of MikroTik firmware, revealing new insights with RouterOS’s unique IPC protocol, proprietary message format, and custom cryptographic protocols. We will also release a new RouterOS remote jailbreak, the first in three years, which should help accelerate new and ongoing research efforts. Our goal by the end of the talk is to bring an interested reverse engineer from zero knowledge to a working understanding of RouterOS internals and put MikroTik security research back into the limelight.
We will provide a comprehensive system overview of RouterOS internals, enhanced by technical demonstrations to reinforce key concepts. We’ll start with an executive summary of MikroTik and RouterOS, introducing the user-facing management systems and providing a concise history of previous security research. We will briefly introduce some previously disclosed vulnerabilities used to create MikroTik botnets and jailbreak devices.
Next, we will take a bird’s eye view of the whole RouterOS system. We will describe the RouterOS boot process and explore how signed packages are verified during boot and unpacked (and how to patch the kernel to bypass package validation and side-load our own binaries). We will then peek at the userspace filesystem layout and explore how processes are started via system configuration files.
With this baseline understanding of RouterOS, we will dive into its proprietary interprocess communication (IPC) protocol and describe how programs can send messages to each other in a highly abstracted (and hilariously router-inspired) way. We will explore how these processes live in namespaces and can register handlers to perform operation-specific functionality such as a centralized authorization protocol or dynamic namespace allocation at runtime to manage user-side Javascript sessions in the web interface. Next, we will describe the technical details of how each process partitions roles and responsibilities between individual handlers and how handlers validate message permissions prior to processing. To demonstrate this understanding, we will develop our own binary running on RouterOS, capable of communicating natively with existing system processes. We will also demonstrate a tool used to analyze and mutate system messages in real time to observe the router’s internal communication flow.
Applying this understanding of RouterOS IPC, we will explore some highly-obfuscated, and highly suspicious, hand-rolled cryptography in the user authentication flows. We will thoroughly describe the reverse-engineered math and discuss possible (dubious) origins and implications. We will demonstrate a tool capable of accurately reproducing the customized elliptic curve cryptography calculations as performed by RouterOS and we use this tool to restore functionality to long-broken user-creating tooling that interfaces with the MAC Telnet and Winbox protocols.
Finally, we will release a new RouterOS remote jailbreak that utilizes two chained vulnerabilities: an admin to system level privilege escalation and a vulnerable handler in the www application. We will describe the path to finding these vulnerabilities (including some humorous attempts at anti-debug) and we will release a script capable of jailbreaking any RouterOS v6.x.x (current long-term release channel). This jailbreak will be the first publicly available jailbreak for MikroTik devices since 2019.
Attendees will walk away from this talk with a detailed, top-down understanding of RouterOS internal systems that is reinforced through graphical demonstration and walkthroughs. We hope this presentation inspires reverse engineers who are looking for a challenge to pick up MikroTik with an advanced understanding of system internals and supplemental tools. Finally, we believe this talk will greatly enhance the publicly available research on RouterOS and put MikroTik back into the public light.
Ian is a security researcher at Margin Research focused on exploit development and reverse engineering of embedded systems. A Construction Manager in a previous life, Ian now finds catharsis in deconstructing firmware and programs.
Harrison (@hgarrereyn) is a vulnerability researcher at Margin research and avid CTF player for DiceGang. He is interested in esoteric computation, reading control-flow graphs, and automated vulnerability discovery and he is an incoming PhD student at Carnegie Mellon University.