Hangs indefinitely on unknown user

Question

Hangs indefinitely on unknown user

merlinthemagic opened this issue 2 years ago · 7 comments

MAC Telnet version: master December 22, 2022
Operating system and architecture: ubuntu 22.10 / arm64
Issue Hangs indefinitely on unknown username
Target: RouterOS 7.6 / arm
Log

Bash (Logging in with account that does NOT exist):
mactelnet -A dc:2c:6e:02:01:00
Login: userThatDoesNotExist
Password: anySecret

Output: Invalid salt length: 33 (instead of 16 or 49) received from server dc:2c:6e:02:01:00
Result: Process hangs and never exits

Bash:
mactelnet -A dc:2c:6e:02:01:00
Login: userThatDoesExist
Password: wrongSecret

Output: Login failed, incorrect username or password
Result: bash received a SIGCHLD and exits

Notes

Clearly RouterOS has a problem here and is leaking information regarding user accounts, but MacTelnet should still exit.

Answer 1 · 2022-12-23T01:28:20.000Z

Opened SUP-101713 with Mikrotik to resolve.

Answer 2 · 2022-12-23T04:09:37.000Z

Why do you mean it is leaking information?

Answer 3 · 2022-12-23T15:43:43.000Z

@haakonnessjoen the RouterOS Mac-Telnet server is informing an unauthenticated user if an account exists on the system or not.

Account does not exist on the system:

Account exists, but invalid password:

Login with "valid account + invalid password" should be indistinguishable from "invalid account + password". The issue is that the payload size differs depending on if the account exists or not, it should always be 49 bytes.

Mikrotik Sergejs ack the issue and wil fix in upcoming release, but given the multitude of devices that will run RouterOS <7.6 for years to come, this client implementation should still handle the exception.

Answer 4 · 2022-12-23T16:39:17.000Z

Ah yes, I did not see that you wrote "UserThatDoesExist" vs "UserThatDoesNotExist". So I was confused by the issue reported. Sorry about that, and I agree with you. Please update when you get a response from them. PS. I am glad you have good use of the wireshark mactelnet plugin I also wrote 12 years ago. :D Wow time flies...

Answer 5 · 2022-12-23T18:33:29.000Z

@haakonnessjoen I edited the initial report to emphasize how to reproduce the issue, you are right it was easy to miss the username differed.

The wireshark plugin makes life so much easier :)

Ill update when MT reports back. In the mean time, i submitted a pull request based on my shaky C skills.

Mange Tak :)

Answer 6 · 2022-12-23T18:39:49.000Z

The wireshark plugin makes life so much easier :)

😳😳😳 What did I miss??? Clemens

Answer 7 · 2024-04-06T21:46:33.000Z

This is now fixed in master