Full Disclosure mailing list archives

Re: Critical Vulnerability in Ubiquiti UniFi

From: Carlos Silva <r3pek () r3pek org>
Date: Tue, 11 Oct 2016 21:00:01 +0100

AFAIK, that's actually the Unifi Controller, but that's "web based" as in,
you access it via a browser (I use the same on my Unifi setup). So, I still
can't see, nor understand, how to exploit said vulnerability unless you
already have a local account on the controller.

On Tue, Oct 4, 2016 at 11:10 PM, Rob Thomas <rthomas () sangoma com> wrote:

The impression I get from Tim Pham's emails is that the 'Unify Manager' is
doing some behind-the-scenes tunnelling, and bringing the Mongo interface
from the server to the client (Eg, Mac or Windows device) and you are then
able to connect to localhost (on the client) which tunnels through to the
server.

However, after much searching, I am unable to locate this application.
Googling insinuates that it is this (unreleased) software -
https://www.ubnt.com/enterprise/software/

--Rob Thomas
Information Security, Sangoma Corporation


-----Original Message-----
From: Fulldisclosure [mailto:fulldisclosure-bounces () seclists org] On
Behalf Of Gregory Sloop
Sent: Wednesday, 5 October 2016 1:54 AM
To: Tim Schughart <t.schughart () prosec-networks com>;
fulldisclosure () seclists org; bugtraq () securityfocus com;
webappsec () securityfocus com
Cc: Khanh Quoc. Pham <k.pham () prosec-networks com>
Subject: Re: [FD] Critical Vulnerability in Ubiquiti UniFi

I attempted private contact with Tim Pham and via email 12+ hours ago, but
received no response since then.

I've spent some time trying to reproduce the reported vulnerability and
have had no success. It certainly doesn't help that the steps to reproduce
it are so poorly described or documented.
Without better documentation of the exploit, it seems impossible to
determine if the report is just mis-informed, blatantly false, or if
perhaps there's some step/process I don't understand or am missing.

In every attempt I've made the binding of MongoBD to 127.0.0.1 is
effective and non-local connection attempts are refused, as one would
expect.
A swift response from Prosec Networks [prosec-networks.com] would be most
helpful.

_______________________________________________
Sent through the Full Disclosure mailing list https://nmap.org/mailman/
listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

Re: Critical Vulnerability in Ubiquiti UniFi Gregory Sloop (Oct 03)
- <Possible follow-ups>
- Re: Critical Vulnerability in Ubiquiti UniFi Carlos Silva (Oct 03)
  - Re: Critical Vulnerability in Ubiquiti UniFi Tim Schughart (Oct 03)
    - Re: Critical Vulnerability in Ubiquiti UniFi Gregory Sloop (Oct 04)
    - Re: Critical Vulnerability in Ubiquiti UniFi Rob Thomas (Oct 11)
    - Re: Critical Vulnerability in Ubiquiti UniFi Carlos Silva (Oct 19)
    - Re: Critical Vulnerability in Ubiquiti UniFi kvnjs (Oct 19)