Pulling MikroTik into the Limelight presentation deck as presented at RECon Montreal 2022 by Ian Dupont and Harrison Green.
In the wide expanse of router manufacturers and models, there is one reverse engineering target that stands out from the rest: MikroTik. Unlike many routers which run a patchwork of services that vary widely across models and firmware versions, MikroTik maintains a uniform, standardized operating system, RouterOS, which runs across all router models. Customized internal frameworks and proprietary communication protocols offer a challenging, but interesting, reverse engineering landscape. However, the reliance on complex, proprietary infrastructure and the lack of easy access to the core system imposes a high barrier to entry for new reverse engineers. As a result, MikroTik security research has largely remained in obscurity. Until now…
In this talk, we take an exciting adventure into the depths of MikroTik firmware, revealing new insights with RouterOS’s unique IPC protocol, proprietary message format, and custom cryptographic protocols. We also released a new RouterOS remote jailbreak, the first in three years, which should help accelerate new and ongoing research efforts. Our goal by the end of the talk is to bring an interested reverse engineer from zero knowledge to a working understanding of RouterOS internals and put MikroTik security research back into the limelight.
We provide a comprehensive system overview of RouterOS internals, enhanced by technical demonstrations to reinforce key concepts. We’ll start with an executive summary of MikroTik and RouterOS, introducing the user-facing management systems and providing a concise history of previous security research. We briefly introduce some previously disclosed vulnerabilities used to create MikroTik botnets and jailbreak devices.
Next, we take a bird’s eye view of the whole RouterOS system. We describe the RouterOS boot process and explore how signed packages are verified during boot and unpacked (and how to patch the kernel to bypass package validation and side-load our own binaries). We then peek at the userspace filesystem layout and explore how processes are started via system configuration files.
With this baseline understanding of RouterOS, we dive into its proprietary interprocess communication (IPC) protocol and describe how programs can send messages to each other in a highly abstracted (and hilariously router-inspired) way. We explore how these processes live in namespaces and can register handlers to perform operation-specific functionality such as a centralized authorization protocol or dynamic namespace allocation at runtime to manage user-side Javascript sessions in the web interface. Next, we describe the technical details of how each process partitions roles and responsibilities between individual handlers and how handlers validate message permissions prior to processing. To demonstrate this understanding, we develop our own binary running on RouterOS, capable of communicating natively with existing system processes. We also demonstrate a tool used to analyze and mutate system messages in real time to observe the router’s internal communication flow.
Applying this understanding of RouterOS IPC, we explore some highly-obfuscated, and highly suspicious, hand-rolled cryptography in the user authentication flows. We thoroughly describe the reverse-engineered math and discuss possible (dubious) origins and implications. We demonstrate a tool capable of accurately reproducing the customized elliptic curve cryptography calculations as performed by RouterOS and we use this tool to restore functionality to long-broken user-creating tooling that interfaces with the MAC Telnet and Winbox protocols.
Finally, we release a new RouterOS remote jailbreak that utilizes two chained vulnerabilities: an admin to system level privilege escalation and a vulnerable handler in the www application. We describe the path to finding these vulnerabilities (including some humorous attempts at anti-debug) and we release a script capable of jailbreaking any RouterOS v6.x.x (current long-term release channel). This jailbreak is the first publicly available jailbreak for MikroTik devices since 2019.
Attendees walk away from this talk with a detailed, top-down understanding of RouterOS internal systems that is reinforced through graphical demonstration and walkthroughs. We hope this presentation inspires reverse engineers who are looking for a challenge to pick up MikroTik with an advanced understanding of system internals and supplemental tools. Finally, we believe this talk greatly enhances the publicly available research on RouterOS and puts MikroTik back into the public light.