MikroTik

Community discussions
https://forum.mikrotik.com/

Hotspot security question

https://forum.mikrotik.com/viewtopic.php?t=54809

Page 1 of 1

Hotspot security question

Posted: Wed Sep 07, 2011 9:11 am
by nicopretorius
One of our roaming partners raised a concern regaring the security of our hotspot implementation based on the following articles.

http://www.irongeek.com/i.php?page=secu ... rf-example
http://www.gnucitizen.org/blog/persiste ... r-wag54gs/

Is the concern valid that similar "malicious commands" can be issued to ROS via the hotspot service? I don't believe it is, but it will be good to get an answer from MT why similar commands will not be a threat to ROS.

Thank you,

Nico

Re: Hotspot security question

Posted: Wed Sep 07, 2011 4:25 pm
by Chupaka
disable Web service - you won't be able to manage router via web interface at all =)

Re: Hotspot security question

Posted: Wed Sep 07, 2011 5:46 pm
by nicopretorius
Thanks, I already have it disabled. The concern was specific to the hotspot "web service".

Re: Hotspot security question

Posted: Wed Sep 07, 2011 5:54 pm
by fewi
http://wiki.mikrotik.com/wiki/Manual:Cu ... able_Pages
That's a list of all the available Hotspot servlets, together with all the parameters they take.

Can those be exploited? Maybe. Only a code review would show. But the parameters that CAN be passed in are fairly harmless. The links you posted focus on exploits of a full administrative interface to the routers in question, which the Hotspot servlets don't provide. From that list the Hotspot servlets wouldn't need any write capabilities to anything administrative outside of themselves. A slightly bigger worry might be RADIUS attributes passed back on login that cause the creation of queues etc.

Re: Hotspot security question

Posted: Wed Sep 07, 2011 6:02 pm
by nicopretorius
Thanks for the feedback. This confirms my understanding.

Re: Hotspot security question

Posted: Wed Sep 07, 2011 8:01 pm
by Chupaka
yep, with Hotspot you cannot reboot the router =)

Re: Hotspot security question

Posted: Wed Sep 07, 2011 8:40 pm
by CCDKP
One of our roaming partners raised a concern regaring the security of our hotspot implementation based on the following articles.

http://www.irongeek.com/i.php?page=secu ... rf-example
http://www.gnucitizen.org/blog/persiste ... r-wag54gs/

Is the concern valid that similar "malicious commands" can be issued to ROS via the hotspot service? I don't believe it is, but it will be good to get an answer from MT why similar commands will not be a threat to ROS.

Thank you,

Nico
Those exploits are based on a parsing error with DD-WRT. The web service does not escape data prior to parsing, so the CGI-bin folder will blindly accept shell commands as long as you prepend a ; before it. RouterOS does not use this CGI-bin system. Also, all the web-based administrative functions for webmin are encoded and passed as parameters through Jproxy, which properly checks for user credentials prior to parsing anything.

Mikrotik did a very nice job in hardening their web-interface. As long as web service is disabled, you should be just fine.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/