The RouterOS web interface is implemented by the /nova/bin/For example, the jsproxy.p servlet handles requests to /jsproxy and the winbox.p servlet handles requests to /winbox, etc. ![]() ![]() In the following demo, you can see all of the messages exchanged as we paginate through the web interface: notify processes when a client has disconnectsĭuring our reverse engineering efforts, we wrote an internal message tracer tool that allows us to visualize all of the messages exchanged during operation of the router.send frequent updates about process state (e.g.update/retrieve configuration parameters.IPC communication is a crucial part of RouterOS operation. These exist in a pseudo-JSON format (pre 6.38) and a serialized binary format:Įach process has a fixed address inside the RouterOS system for example /nova/bin/user is at address 13 and /nova/bin/For example, /nova/bin/user has a handler at address 4 that acts as the "login" endpoint and performs authentication for other services: ![]() The actual data packets are Nova Messages ( nv::message internally). Inside MikroTik's RouterOS, programs communicate with eachother using a custom IPC protocol. Definitely check that out for more details! RouterOS IPC Note: this section is mostly an abbreviated version of our full blog post. In this section we go over some background knowledge about RouterOS IPC and discuss the two vulnerabilities. f /path/to/nova/bin/www How does it work?įOISted leverages two vulnerabilities in RouterOS v6 to enable remote code execution.
0 Comments
Leave a Reply. |