RouterOS: User with just “ftp” policy can create or overwrite arbitrary .rsc files via the /export command [CVE-2021–27221]
I think I found security issue in RouterOS from Mikrotik company. I reported it as SUP-41598 on 2021–02-15. After a bit arogant communication I decided to create CVE-2021–27221 and publish it after 1 month waiting period. Mikrotik considers this as “feature” and closed that ticket as “feature request”. Long term 6.47.9 and stable 6.48.1 versions are affected.
I consider this as misbehaviour. Just copy and paste same reply…
According to RouterOS documentation:
- ftp — policy that grants full rights to log in remotely via FTP, to read/write/erase files and to transfer files from/to the router. Should be used together with read/write policies.
- read — policy that grants read access to the router’s configuration. All console commands that do not alter router’s configuration are allowed. Doesn’t affect FTP
- write — policy that grants write access to the router’s configuration, except for user management. This policy does not allow to read the configuration, so make sure to enable read policy as well
Filesystem (/file) is router’s configuration, because it contains for example skins, hotspot page, etc.
ftp should be used together with read/write policies. There is word “should”, not “must”, but let’s look to commands and how they check policies.
Without read policy, /export command don’t allows to read configuration. That’s correct.
With ftp+ssh policy but without read policy it’s not possible to read from internal filesystem over SCP. Same is valid for ftp+web policy and WebFig. Again, that’s correct.
With ftp+ssh policy but without write policy it’s not possible to write (create, overwrite, erase) to internal filesystem over SCP. Same is valid for ftp+web policy and WebFig. Correct.
So it looks like ftp policy without read or write policy is harmless, right?
Command /export with “file” parameter doesn’t check write policy and allows you to write to filesystem even without this policy. This is only command in RouterOS which allows you to write to filesystem without write policy. SCP, WebFig, … always requires write policy.
Users with ftp policy but without write policy could call:
/export file=<filename>
which creates <filename>.rsc and if this file already exists, it’s overwritten.
So users without write policy could:
- overwrite existing files (but only with .rsc suffix)
- fill filesystem (calling /export file=<random> in loop)
Typical situation is there are accounts with just for example ssh + ftp + read policies for junior netadmins or NOC. You think, these accounts can only transfer data from Mikrotik and read configuration? Considering them as read only accounts, right?
Nope, this account can fill your filesystem and hypothetically crash RouterOS.
This is bad example again how badly Mikrotik handles security issues. Do you remeber CVE-2018–19298? It’s not security issue? After 1 year it’s.
UPDATE 2021–03–19:
Mikrotik fixed this in 6.49beta22 version:
What’s new in 6.49beta22 (2021-Mar-08 09:07):
*) console — require “write+ftp” permissions for executing script to file;
*) console — require “write+ftp” permissions for exporting configuration to file;
*) console — require “write+ftp” permissions for printing to file;
