Specifically, we found a message that was being sent from the Additionally, we noticed that two of the arguments seemed to be virtual pointers (32-bit x86) which piqued our interest because it was very unusual. These servlets are libraries that get loaded into /nova/bin/library will get loaded into the memory space.ĭuring this library loading process, we noticed some interesting traffic in the message tracer: The RouterOS web interface is implemented by the /nova/bin/For example, the jsproxy.p servlet handles requests to /jsproxy and the winbox.p servlet handles requests to /winbox, etc. In the following demo, you can see all of the messages exchanged as we paginate through the web interface:
IPC communication is a crucial part of RouterOS operation. These exist in a pseudo-JSON format (pre 6.38) and a serialized binary format:Įach process has a fixed address inside the RouterOS system for example /nova/bin/user is at address 13 and /nova/bin/For example, /nova/bin/user has a handler at address 4 that acts as the "login" endpoint and performs authentication for other services:
The actual data packets are Nova Messages ( nv::message internally). Inside MikroTik's RouterOS, programs communicate with eachother using a custom IPC protocol.
Definitely check that out for more details! RouterOS IPC Note: this section is mostly an abbreviated version of our full blog post. In this section we go over some background knowledge about RouterOS IPC and discuss the two vulnerabilities. f /path/to/nova/bin/www How does it work?įOISted leverages two vulnerabilities in RouterOS v6 to enable remote code execution.
0 kommentar(er)
