:: Deepquest ::

An exploitable arbitrary file creation weakness has been identified in Mikrotik RouterOS that can be leveraged by a malicious attacker to exploit all known versions of Mikrotik RouterOS. The RouterOS contains a telnet client based on GNU inetutils with modifications to remove shell subsystem. However an attacker can leverage the “set tracefile” option to write an arbitrary file into any “rw” area of the filesystem, escaping the restricted shell to gain access to a “ash” busybox shell on some versions. The file is created with root privileges regardless of the RouterOS defined group.