Help Me, Vulnerabilities. You're My Only Hope

Conference:  Defcon 27



The presentation discusses vulnerabilities in MikroTik routers and how to determine if they have been compromised.
  • MikroTik routers are popular networking devices used by enterprises and ISPs
  • The routers operate on RouterOS, which limits access to the file system and makes it difficult to determine if the router has been compromised
  • The presentation presents three vulnerabilities that can help MikroTik administrators break out of the sandbox and determine if the router has been exploited
  • The speaker also provides a brain dump of all the fun places attackers can hide in RouterOS
  • The presentation encourages researchers to explore other areas of MikroTik routers for potential vulnerabilities
The speaker introduces MikroTik routers and notes that they are used by enterprises and ISPs. He also mentions that MikroTik user meetings yield interesting results, such as presentations by ISPs on their deployments featuring MikroTik routers.


MikroTik routers keep getting owned. They’ve been exploited by advanced threats like VPNFilter, Slingshot APT, and Trickbot. They’ve been compromised by coin miners, botnets, and who knows what else. With each new campaign the security industry publishes new indicators of compromise and everyone moves on. However, MikroTik administrators operate in a sandbox. They have very limited access to the router’s underlying file system and almost no ability to directly interact with the Linux operating system. Due to these limitations, file hashes cannot answer the fundamental question that is asked again and again on the MikroTik forums, “Have I been compromised?” It’s time the users had their question answered. In this talk, I’ll present three vulnerabilities that can help MikroTik administrators break out of the sandbox. I’ll show how to use these vulnerabilities to help determine if the router has been compromised.



Post a comment