Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-54772 PoC — MikroTik RouterOS 安全漏洞

Source
https://github.com/deauther890/CVE-2024-54772
Associated Vulnerability
Title:MikroTik RouterOS 安全漏洞 (CVE-2024-54772)
Description:An issue was discovered in the Winbox service of MikroTik RouterOS long-term release v6.43.13 through v6.49.13 and stable v6.43 through v7.17.2. A patch is available in the stable release v6.49.18. A discrepancy in response size between connection attempts made with a valid username and those with an invalid username allows attackers to enumerate for valid accounts.
Description
This repo contains the exploit for CVE-2024-54772 which can enumerate valid usernames in Mikrotik routers running RouterOS
Readme
# CVE-2024-54772 (MikroTik-RouterOS Username Enum)
This repo contains the exploit for **CVE-2024-54772** which can enumerate valid usernames in Mikrotik routers running RouterOS **v6.43** through **v7.17.1**.

**"mikrotik_routeros_username_enum.py"** Usage: `python3 mikrotik_routeros_username_enum.py <username> <target>`. The outpus will be either a valid or invalid username.

**"mikrotik_routeros_username_enum_wordlist.py"** Usage: `python3 mikrotik_routeros_userenum_wordlist.py <wordlist_path> <target1,target2,...>`. The output will be all the valid usernames for every router ip entered.

Please, note that every username is sent in a seperate tcp session because RouterOS doesn't respond to the requests sent after 3 tries in the same tcp session.

**Reference:** https://www.cve.org/CVERecord?id=CVE-2024-54772


#########################REPORT and PoC###########################

I was able to spot this bug after I developed the Nmap servcie probe that can identify WinBox service running on port 8291. After Inspecting many responses of many routers ranging from version 6.43 through 7.17.1, I was able to notice the discripensy in the response between valid and invalid usernames. The following will be the illustration:

Vulnerability PoC

Using WinBox Client

![image](https://github.com/user-attachments/assets/2a4ef7f6-19de-409a-92e0-400b74ad8a05)

 
The router that I have access to is with version 6.49.15. As we can see from the image, the valid users in the router are “prop” and “admin”. The IP of the router is x.x.96.50.

![image](https://github.com/user-attachments/assets/89a5f9ed-598c-44d6-beb8-bb708edc26c1)

 
We will try to send a login request to the router with a username “any”. 

![image](https://github.com/user-attachments/assets/d4bde843-c9a3-4666-a887-29c7f0126375)

 
The picture above is a representation of the packet with username “any”.

![image](https://github.com/user-attachments/assets/aed2ceaf-8ac3-4250-a152-af4409e00af4)

 
The response comes with 35 bytes.


![image](https://github.com/user-attachments/assets/5146a803-2a99-4183-9ea4-9040d0cfda3e)

 
Now, let us try a valid user.  Here “prop” 

![image](https://github.com/user-attachments/assets/10b9d6ab-ad52-48e0-93a4-950ad81a248a)

 
The picture above is the representation for the packet with the username “prop”.

![image](https://github.com/user-attachments/assets/71d4b35b-0ec2-4c1d-8196-8b24306f9e88)

 
The response will be with 51 bytes. This shows that the username “prop” is valid.

Next, we will try to do this with Netcat on a router that I do not have access to. This router is running the current version of RouterOS, which is 7.16.1. 












Using Netcat

![image](https://github.com/user-attachments/assets/5bcf9c6a-88cc-4973-b4d5-dde2e2f81b5a)


 
We have a random target with IP x.x.239.7 and with RouterOS version 7.16.1!

![image](https://github.com/user-attachments/assets/671733b9-dba8-4438-a29a-300d7da784ef)

We will initiate a request with user “any”. 

 ![image](https://github.com/user-attachments/assets/79492b49-7ee1-4357-a3e5-06429fc0882f)

The picture above is a representation of the packet sent by Netcat with the username “any”.

![image](https://github.com/user-attachments/assets/679e80e5-526d-4429-93ad-fbc28dc60967)

The response will be with 35 bytes.

 ![image](https://github.com/user-attachments/assets/ab7b20ca-9784-49f8-9199-8df5a878f439)

Now let us try with one of the most common usernames, which is “admin”. 

![image](https://github.com/user-attachments/assets/f42f88da-ea8b-4e50-8236-16cb353cf57c)


 The picture above is a representation of the packet sent by Netcat with the username “admin”

![image](https://github.com/user-attachments/assets/f175a601-9870-4f71-b27c-164ed73f9777)

 
The response will be 51 bytes also!!

So, when the router responds with 35 bytes, the username is invalid. When it responds with 51 bytes, the username is valid. 
Therefore, this security issue can be exploited through WinBox client and in an automated fashion. It targets all RouterOS versions, in both trees the long-term and the stable releases, that support WinBox non-legacy authentication mode including the current one. So, from RouterOS version 6.43 until the current which is 7.16.1 in the stable releases tree and this vulnerability also exists in the current version of the long-term tree which is 6.49.13!
According to MITRE’s CWE database, the type of this weakness is called “CWE-204: Observable Response Discrepancy”.
File Snapshot

 [4.0K]  /data/pocs/c1e9844f574b80ca18e65f38cae8fb1c1d180b2f
├── [1.3K]  mikrotik_routeros_username_enum.py
├── [2.9K]  mikrotik_routeros_username_enum_wordlist.py
└── [4.4K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →