Explore the intricacies of bug hunting in RouterOS with Jacob Baines in this 42-minute conference talk from Derbycon 2018. Delve into the world of RouterOS, examining its release trees and previous research. Uncover developer backdoors in long-term releases and learn techniques for creating backdoors in version 6.42 and beyond. Investigate JSProxy key negotiation, offline brute forcing, and PCAP decryption. Gain insights into the JSON protocol description, system number mapping, and the transition to binary message formats. Understand the significance of the message protocol in WinBox and its implications. Examine real-world vulnerabilities, including CVE-2018-1156 and CVE-2018-14847, while discovering the importance of policy discovery in RouterOS security.
Overview
Syllabus
Intro
What is RouterOS?
RouterOS Release Trees
Previous Research
Developer Backdoor: Long Term Release
Creating a Backdoor (6.42+)
JSProxy Key Negotiation
Offline Brute Forcing
PCAP Decryption
JSON Protocol Description
System Number Mapping
Switch to Binary
Message Binary Format
WinBox Uses the Binary Message Protocol
Importance of the Message Protocol
CVE-2018-1156
Policy Discovery
CVE-2018-14847
By the way
