Nine Years of Overlooked MikroTik Pre-Authentication Remote Code Execution Vulnerabilities

Explore a detailed security research presentation from DEF CON 31 that uncovers critical vulnerabilities in MikroTik's RouterOS, focusing on a pre-authentication Remote Code Execution (RCE) vulnerability that remained undiscovered for nine years. Learn about the overlooked attack surfaces in RouterOS's architecture, particularly the socket callback and remote object mechanisms that affect over 3 million deployed devices. Discover the methodology used to identify these security flaws, understand the vulnerability patterns, and gain insights into the complex lower-layer objects of Nova Binary implementation. Benefit from shared open-source tools and research approaches that make RouterOS security analysis more accessible, presented by DEVCORE security researcher and Pwn2Own Toronto 2022 "Master of Pwn" winner, Ting-Yu Chen (NiNi).