On April 23rd 2018, Mikrotik fixed a vulnerability “that allowed gaining access to an unsecured router”. myself and @yalpanian of @BASUCERT (part of IR CERT) reverse engineering lab tried to figure out what exactly got fixed, what was the problem in the first place and how severe was the impact of it. UPDATE: full PoC is now available on Github. UPDATE: CVE-2018-14847 has been assigned to this vulnerability and there should be a MetaSploit module related to this bug soon.
What, Why, and Where? What is it exactly? Dynamic Binary Analysis (DBA) is a technique to analyze the behavior of a binary by somehow running it and watch its behavior. Obviously it’s the opposite of Static Binary Analysis in which you disassemble a piece of code and draw the graph of the entire program to see what it does. Why not Static? well, it’s actually better if you have a small binary or a binary written in a friendly programming language.
It’s actually called SO_REUSEPORT Kernel 3.9 introduced a new cool feature in SOCKET interface called SO_REUSEPORT. So what is it? As the official documentation says, it allows multiple AF_INET or AF_INET6 sockets to be bound to an identical socket address. before binding a socket to an interface, each one should have this option enabled. This way, mutiple processes can listen on the same port at the same time! How Can This Possibly Be Secure?