<div dir="ltr">I am very glad I rolled my own instead of buying one of theirs.</div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 16, 2017 at 8:51 AM, Joey Kelly <span dir="ltr"><<a href="mailto:joey@joeykelly.net" target="_blank">joey@joeykelly.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">This is crazy. Please tell me this is all EOL gear. The third paragraph<br>
tells the tale.<br>
<br>
--Joey<br>
<br>
---------------------------- Original Message ----------------------------<br>
Subject: [FD] SEC Consult SA-20170316-0 :: Authenticated command injection<br>
in multiple Ubiquiti Networks products<br>
From: "SEC Consult Vulnerability Lab" <<a href="mailto:research@sec-consult.com">research@sec-consult.com</a>><br>
Date: Thu, March 16, 2017 11:35 am<br>
To: <a href="mailto:bugtraq@securityfocus.com">bugtraq@securityfocus.com</a><br>
<a href="mailto:fulldisclosure@seclists.org">fulldisclosure@seclists.org</a><br>
------------------------------<wbr>------------------------------<wbr>--------------<br>
<br>
SEC Consult Vulnerability Lab Security Advisory < 20170316-0 ><br>
==============================<wbr>==============================<wbr>===========<br>
title: Authenticated Command Injection<br>
product: Multiple Ubiquiti Networks products, e.g.<br>
TS-16-CARRIER, TS-5-POE, TS-8-PRO, AG-HP-2G16,<br>
AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M,<br>
AirGrid M2, AirGrid M5, AR, AR-HP, BM2HP, BM2-Ti,<br>
BM5HP, BM5-Ti, LiteStation M5, locoM2, locoM5,<br>
locoM9, M2, M3, M365, M5, M900, NB-2G18, NB-5G22,<br>
NB-5G25, NBM3, NBM365, NBM9, NSM2, NSM3, NSM365,<br>
NSM5, PBM10, PBM3, PBM365, PBM5, PICOM2HP,<br>
Power AP N<br>
vulnerable version: v1.3.3 (SW), v5.6.9/v6.0 (XM)<br>
fixed version: -<br>
CVE number: -<br>
impact: Critical<br>
homepage: <a href="https://www.ubnt.com" rel="noreferrer" target="_blank">https://www.ubnt.com</a><br>
found: 2016-11-22<br>
by: T. Weber (Office Vienna)<br>
SEC Consult Vulnerability Lab<br>
<br>
An integrated part of SEC Consult<br>
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow<br>
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius -<br>
Zurich<br>
<br>
<a href="https://www.sec-consult.com" rel="noreferrer" target="_blank">https://www.sec-consult.com</a><br>
<br>
==============================<wbr>==============================<wbr>===========<br>
<br>
Vendor description:<br>
-------------------<br>
"Ubiquiti Networks develops high-performance networking<br>
technology for service providers and enterprises. Our technology<br>
platforms focus on delivering highly advanced and easily deployable<br>
solutions that appeal to a global customer base in underserved and<br>
underpenetrated markets."<br>
<br>
Source: <a href="http://ir.ubnt.com/" rel="noreferrer" target="_blank">http://ir.ubnt.com/</a><br>
<br>
<br>
Business recommendation:<br>
------------------------<br>
SEC Consult recommends not to use this product in a production environment<br>
until a thorough security review has been performed by security<br>
professionals and all identified issues have been resolved.<br>
<br>
<br>
Vulnerability overview/description:<br>
------------------------------<wbr>-----<br>
1) Command Injection in Admin Interface<br>
A command injection vulnerability was found in "pingtest_action.cgi".<br>
This script is vulnerable since it is possible to inject a value of a<br>
variable. One of the reasons for this behaviour is the used PHP version<br>
(PHP/FI 2.0.1 from 1997).<br>
<br>
The vulnerability can be exploited by luring an attacked user to click<br>
on a crafted link or just surf on a malicious website. The whole attack<br>
can be performed via a single GET-request and is very simple since there<br>
is no CSRF protection. See our other advisory published in January 2017:<br>
<a href="https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170130-0_Ubiquiti_Networks_XSS_CSRF_v10.txt" rel="noreferrer" target="_blank">https://www.sec-consult.com/<wbr>fxdata/seccons/prod/temedia/<wbr>advisories_txt/20170130-0_<wbr>Ubiquiti_Networks_XSS_CSRF_<wbr>v10.txt</a><br>
<br>
An attacker can open a port binding or reverse shell to connect to the<br>
device and is also able to change the "passwd" since the web service<br>
runs with root privileges!<br>
<br>
Furthermore, low privileged read-only users, which can be created in the web<br>
interface, are also able to perform this attack.<br>
<br>
If the Ubiquiti device acts as router or even as firewall, the attacker<br>
can take over the whole network by exploiting this vulnerability.<br>
<br>
<br>
Proof of concept:<br>
-----------------<br>
1) Command Injection in Admin Interface<br>
The following link can be used to open a reverse shell to the attacker's<br>
IP address. There are two possibilities for the different firmware<br>
versions.<br>
Reverse root shell - firmware: v1.3.3 (SW)<br>
[ PoC removed - no patch available ]<br>
<br>
Reverse root shell - firmware: v5.6.9/v6.0 (XM)<br>
[ PoC removed - no patch available ]<br>
<br>
A video is available here: <a href="https://youtu.be/oU8GNeP_Aps" rel="noreferrer" target="_blank">https://youtu.be/oU8GNeP_Aps</a><br>
<br>
<br>
Vulnerable / tested versions:<br>
-----------------------------<br>
The following devices and firmware versions have been tested/verified:<br>
TS-8-PRO - v1.3.3 (SW)<br>
(Rocket) M5 - v5.6.9/v6.0 (XM)<br>
(PicoStationM2HP) PICOM2HP - v5.6.9/v6.0 (XM)<br>
(NanoStationM5) NSM5 - v5.6.9/v6.0 (XM)<br>
<br>
Based on information embedded in the firmware of other Ubiquiti products<br>
gathered from our IoT Inspector tool we believe the following devices are<br>
affected as well:<br>
<br>
Ubiquiti Networks AF24 (Version: AF24 v3.2)<br>
Ubiquiti Networks AF24HD (Version: AF24 v3.2)<br>
Ubiquiti Networks AF-2X (Version: AF2X v3.2 )<br>
Ubiquiti Networks AF-3X (Version: AF3X v3.2)<br>
Ubiquiti Networks AF5 (Version: AF5 v3.2)<br>
Ubiquiti Networks AF5U (Version: AF5 v3.2)<br>
Ubiquiti Networks AF-5X (Version: AF5X v3.2.1)<br>
Ubiquiti Networks AG-PRO-INS (Version: AirGWP v1.1.7)<br>
Ubiquiti Networks airGateway (Version: AirGW v1.1.7)<br>
Ubiquiti Networks airGateway-LR (Version: AirGW v1.1.7)<br>
Ubiquiti Networks AMG-PRO (Version: AirGWP v1.1.7)<br>
Ubiquiti Networks LBE-5AC-16-120 (Version: WA v7.2.4)<br>
Ubiquiti Networks LBE-5AC-23 (Version: WA v7.2.4)<br>
Ubiquiti Networks LBE-M5-23 (Version: XW v5.6.9/v6.0)<br>
Ubiquiti Networks NBE-5AC-16 (Version: WA v7.2.4)<br>
Ubiquiti Networks NBE-5AC-19 (Version: XC v7.2.4)<br>
Ubiquiti Networks NBE-M2-13 (Version: XW v5.6.9/v6.0)<br>
Ubiquiti Networks NBE-M5-16 (Version: XW v5.6.9/v6.0)<br>
Ubiquiti Networks NBE-M5-19 (Version: XW v5.6.9/v6.0)<br>
Ubiquiti Networks PBE-5AC-300 (Version: XC v7.2.4)<br>
Ubiquiti Networks PBE-5AC-300-ISO (Version: XC v7.2.4)<br>
Ubiquiti Networks PBE-5AC-400 (Version: XC v7.2.4)<br>
Ubiquiti Networks PBE-5AC-400-ISO (Version: XC v7.2.4)<br>
Ubiquiti Networks PBE-5AC-500 (Version: XC v7.2.4)<br>
Ubiquiti Networks PBE-5AC-500-ISO (Version: XC v7.2.4)<br>
Ubiquiti Networks PBE-5AC-620 (Version: XC v7.2.4)<br>
Ubiquiti Networks PBE-M2-400 (Version: XW v5.6.9/v6.0)<br>
Ubiquiti Networks PBE-M5-300 (Version: XW v5.6.9/v6.0)<br>
Ubiquiti Networks PBE-M5-300-ISO (Version: XW v5.6.9/v6.0)<br>
Ubiquiti Networks PBE-M5-400 (Version: XW v5.6.9/v6.0)<br>
Ubiquiti Networks PBE-M5-400-ISO (Version: XW v5.6.9/v6.0)<br>
Ubiquiti Networks PBE-M5-620 (Version: XW v5.6.9/v6.0)<br>
Ubiquiti Networks R5AC-Lite (Version: XC v7.2.4)<br>
Ubiquiti Networks R5AC-PRISM (Version: XC v7.2.4)<br>
Ubiquiti Networks R5AC-PTMP (Version: XC v7.2.4)<br>
Ubiquiti Networks R5AC-PTP (Version: XC v7.2.4)<br>
Ubiquiti Networks RM2-Ti (Version: XW v5.6.9/v6.0)<br>
Ubiquiti Networks RM5-Ti (Version: XW v5.6.9/v6.0)<br>
<br>
<br>
Vendor contact timeline:<br>
------------------------<br>
2016-11-22: Contacting vendor via HackerOne<br>
2016-11-22: Vendor marks it as duplicate to: #143447<br>
2016-11-23: Asking the vendor for a patch.<br>
2016-11-25: Vendor responds that #143447 should be fixed for next stable<br>
release.<br>
2016-11-25: Asking for an estimated time frame for a fix of the<br>
vulnerability.<br>
2016-11-25: Vendor can not give a precise date.<br>
2017-01-10: Asking the vendor for a patch and defined release of the<br>
advisory for 2017-01-16 (concerning the SEC Consult<br>
disclosure policy). Shifted the deadline to 2017-01-30<br>
due to Christmas holidays; No answer.<br>
2017-01-17: Asked for an update.<br>
2017-01-17: Vendor excuses for the delay and responds that they got a<br>
similar report but our PoC does not work.<br>
2017-01-18: Explained PoC again<br>
2017-01-19: Vendor responds that they received a similar report and<br>
assumed a duplication. They state that our PoC never worked<br>
and did not make any sense.<br>
2017-01-20: Uploaded a video which shows a live command injection at an<br>
up-to-date (v6.0) device and posted an assumed reason why<br>
it's possible to exploit<br>
2017-01-21: Vendor responds that they were able to reproduce it now. They<br>
also posted the real cause.<br>
2017-01-24: Asking whether the vulnerability is a duplicate to #143447.<br>
2017-01-24: Vendor responds that it is no duplicate and that this<br>
issue will be fixed as soon as possible.<br>
2017-02-03: Asking for a status update; No answer.<br>
2017-02-21: Asking for a status update; No answer.<br>
2017-03-01: Informing the vendor that the release of the advisory is set to<br>
2017-03-16; No answer.<br>
2017-03-16: Public advisory release<br>
<br>
<br>
Solution:<br>
---------<br>
There is no fix available from the vendor.<br>
<br>
<br>
Workaround:<br>
-----------<br>
Restrict user and network access.<br>
<br>
<br>
Advisory URL:<br>
-------------<br>
<a href="https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm" rel="noreferrer" target="_blank">https://www.sec-consult.com/<wbr>en/Vulnerability-Lab/<wbr>Advisories.htm</a><br>
<br>
<br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<wbr>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<wbr>~~~~~~~~~~~<br>
<br>
SEC Consult Vulnerability Lab<br>
<br>
SEC Consult<br>
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow<br>
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich<br>
<br>
About SEC Consult Vulnerability Lab<br>
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It<br>
ensures the continued knowledge gain of SEC Consult in the field of network<br>
and application security to stay ahead of the attacker. The SEC Consult<br>
Vulnerability Lab supports high-quality penetration testing and the<br>
evaluation<br>
of new offensive and defensive technologies for our customers. Hence our<br>
customers obtain the most current information about vulnerabilities and valid<br>
recommendation about the risk profile of new technologies.<br>
<br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<wbr>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<wbr>~~~~~~~~~~~<br>
Interested to work with the experts of SEC Consult?<br>
Send us your application <a href="https://www.sec-consult.com/en/Career.htm" rel="noreferrer" target="_blank">https://www.sec-consult.com/<wbr>en/Career.htm</a><br>
<br>
Interested in improving your cyber security with the experts of SEC Consult?<br>
Contact our local offices <a href="https://www.sec-consult.com/en/About/Contact.htm" rel="noreferrer" target="_blank">https://www.sec-consult.com/<wbr>en/About/Contact.htm</a><br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<wbr>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<wbr>~~~~~~~~~~~<br>
<br>
Mail: research at sec-consult dot com<br>
Web: <a href="https://www.sec-consult.com" rel="noreferrer" target="_blank">https://www.sec-consult.com</a><br>
Blog: <a href="http://blog.sec-consult.com" rel="noreferrer" target="_blank">http://blog.sec-consult.com</a><br>
Twitter: <a href="https://twitter.com/sec_consult" rel="noreferrer" target="_blank">https://twitter.com/sec_<wbr>consult</a><br>
<br>
EOF T. Weber / @2017<br>
<br>
<br>
______________________________<wbr>_________________<br>
Sent through the Full Disclosure mailing list<br>
<a href="https://nmap.org/mailman/listinfo/fulldisclosure" rel="noreferrer" target="_blank">https://nmap.org/mailman/<wbr>listinfo/fulldisclosure</a><br>
Web Archives & RSS: <a href="http://seclists.org/fulldisclosure/" rel="noreferrer" target="_blank">http://seclists.org/<wbr>fulldisclosure/</a><br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Joey Kelly<br>
Minister of the Gospel and Linux Consultant<br>
<a href="http://joeykelly.net" rel="noreferrer" target="_blank">http://joeykelly.net</a><br>
<a href="tel:504-239-6550" value="+15042396550">504-239-6550</a><br>
______________________________<wbr>_________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">James Sumners<br><a href="http://james.sumners.info/" target="_blank">http://james.sumners.info/</a> (technical profile)<br><a href="http://jrfom.com/" target="_blank">http://jrfom.com/</a> (personal site)<br><a href="http://haplo.bandcamp.com/" target="_blank">http://haplo.bandcamp.com/</a> (music)</div>
</div>