[ale] [Fwd: [FD] SEC Consult SA-20170316-0 :: Authenticated command injection in multiple Ubiquiti Networks products]

Thu Mar 16 09:36:06 EDT 2017

Don't know about "all EOL", but the M5, M2, M3 are very old.

It is worth knowing that Ubiquiti usually does management networking on
a different subnet than end-users have access, so even getting to the
management interface demands a wired connection on that other subnet.
Unless the setup crew wasn't doing the normal setup.  With physical
access, all bets are off.

On 03/16/2017 08:51 AM, Joey Kelly wrote:
> This is crazy. Please tell me this is all EOL gear. The third paragraph
> tells the tale.
> 
> --Joey
> 
> ---------------------------- Original Message ----------------------------
> Subject: [FD] SEC Consult SA-20170316-0 :: Authenticated command injection
> in multiple Ubiquiti Networks products
> From:    "SEC Consult Vulnerability Lab" <research at sec-consult.com>
> Date:    Thu, March 16, 2017 11:35 am
> To:      bugtraq at securityfocus.com
>          fulldisclosure at seclists.org
> --------------------------------------------------------------------------
> 
> SEC Consult Vulnerability Lab Security Advisory < 20170316-0 >
> =======================================================================
>               title: Authenticated Command Injection
>             product: Multiple Ubiquiti Networks products, e.g.
>                      TS-16-CARRIER, TS-5-POE, TS-8-PRO, AG-HP-2G16,
>                      AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M,
>                      AirGrid M2, AirGrid M5, AR, AR-HP, BM2HP, BM2-Ti,
>                      BM5HP, BM5-Ti, LiteStation M5, locoM2, locoM5,
>                      locoM9, M2, M3, M365, M5, M900, NB-2G18, NB-5G22,
>                      NB-5G25, NBM3, NBM365, NBM9, NSM2, NSM3, NSM365,
>                      NSM5, PBM10, PBM3, PBM365, PBM5, PICOM2HP,
>                      Power AP N
>  vulnerable version: v1.3.3 (SW), v5.6.9/v6.0 (XM)
>       fixed version: -
>          CVE number: -
>              impact: Critical
>            homepage: https://www.ubnt.com
>               found: 2016-11-22
>                  by: T. Weber (Office Vienna)
>                      SEC Consult Vulnerability Lab
> 
>                      An integrated part of SEC Consult
>                      Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
>                      Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius -
> Zurich
> 
>                      https://www.sec-consult.com
> 
> =======================================================================
> 
> Vendor description:
> -------------------
> "Ubiquiti Networks develops high-performance networking
> technology for service providers and enterprises. Our technology
> platforms focus on delivering highly advanced and easily deployable
> solutions that appeal to a global customer base in underserved and
> underpenetrated markets."
> 
> Source: http://ir.ubnt.com/
> 
> 
> Business recommendation:
> ------------------------
> SEC Consult recommends not to use this product in a production environment
> until a thorough security review has been performed by security
> professionals and all identified issues have been resolved.
> 
> 
> Vulnerability overview/description:
> -----------------------------------
> 1) Command Injection in Admin Interface
> A command injection vulnerability was found in "pingtest_action.cgi".
> This script is vulnerable since it is possible to inject a value of a
> variable. One of the reasons for this behaviour is the used PHP version
> (PHP/FI 2.0.1 from 1997).
> 
> The vulnerability can be exploited by luring an attacked user to click
> on a crafted link or just surf on a malicious website. The whole attack
> can be performed via a single GET-request and is very simple since there
> is no CSRF protection. See our other advisory published in January 2017:
> https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170130-0_Ubiquiti_Networks_XSS_CSRF_v10.txt
> 
> An attacker can open a port binding or reverse shell to connect to the
> device and is also able to change the "passwd" since the web service
> runs with root privileges!
> 
> Furthermore, low privileged read-only users, which can be created in the web
> interface, are also able to perform this attack.
> 
> If the Ubiquiti device acts as router or even as firewall, the attacker
> can take over the whole network by exploiting this vulnerability.
> 
> 
> Proof of concept:
> -----------------
> 1) Command Injection in Admin Interface
> The following link can be used to open a reverse shell to the attacker's
> IP address. There are two possibilities for the different firmware
> versions.
> Reverse root shell - firmware: v1.3.3 (SW)
> [ PoC removed - no patch available ]
> 
> Reverse root shell - firmware: v5.6.9/v6.0 (XM)
> [ PoC removed - no patch available ]
> 
> A video is available here: https://youtu.be/oU8GNeP_Aps
> 
> 
> Vulnerable / tested versions:
> -----------------------------
> The following devices and firmware versions have been tested/verified:
> TS-8-PRO                     - v1.3.3 (SW)
> (Rocket) M5                  - v5.6.9/v6.0 (XM)
> (PicoStationM2HP) PICOM2HP   - v5.6.9/v6.0 (XM)
> (NanoStationM5) NSM5         - v5.6.9/v6.0 (XM)
> 
> Based on information embedded in the firmware of other Ubiquiti products
> gathered from our IoT Inspector tool we believe the following devices are
> affected as well:
> 
> Ubiquiti Networks AF24 (Version: AF24 v3.2)
> Ubiquiti Networks AF24HD (Version: AF24 v3.2)
> Ubiquiti Networks AF-2X (Version: AF2X v3.2 )
> Ubiquiti Networks AF-3X (Version: AF3X v3.2)
> Ubiquiti Networks AF5 (Version: AF5 v3.2)
> Ubiquiti Networks AF5U (Version: AF5 v3.2)
> Ubiquiti Networks AF-5X (Version: AF5X v3.2.1)
> Ubiquiti Networks AG-PRO-INS (Version: AirGWP v1.1.7)
> Ubiquiti Networks airGateway (Version: AirGW v1.1.7)
> Ubiquiti Networks airGateway-LR (Version: AirGW v1.1.7)
> Ubiquiti Networks AMG-PRO (Version: AirGWP v1.1.7)
> Ubiquiti Networks LBE-5AC-16-120 (Version: WA v7.2.4)
> Ubiquiti Networks LBE-5AC-23 (Version: WA v7.2.4)
> Ubiquiti Networks LBE-M5-23 (Version: XW v5.6.9/v6.0)
> Ubiquiti Networks NBE-5AC-16 (Version: WA v7.2.4)
> Ubiquiti Networks NBE-5AC-19 (Version: XC v7.2.4)
> Ubiquiti Networks NBE-M2-13 (Version: XW v5.6.9/v6.0)
> Ubiquiti Networks NBE-M5-16 (Version: XW v5.6.9/v6.0)
> Ubiquiti Networks NBE-M5-19 (Version: XW v5.6.9/v6.0)
> Ubiquiti Networks PBE-5AC-300 (Version: XC v7.2.4)
> Ubiquiti Networks PBE-5AC-300-ISO (Version: XC v7.2.4)
> Ubiquiti Networks PBE-5AC-400 (Version: XC v7.2.4)
> Ubiquiti Networks PBE-5AC-400-ISO (Version: XC v7.2.4)
> Ubiquiti Networks PBE-5AC-500 (Version: XC v7.2.4)
> Ubiquiti Networks PBE-5AC-500-ISO (Version: XC v7.2.4)
> Ubiquiti Networks PBE-5AC-620 (Version: XC v7.2.4)
> Ubiquiti Networks PBE-M2-400 (Version: XW v5.6.9/v6.0)
> Ubiquiti Networks PBE-M5-300 (Version: XW v5.6.9/v6.0)
> Ubiquiti Networks PBE-M5-300-ISO (Version: XW v5.6.9/v6.0)
> Ubiquiti Networks PBE-M5-400 (Version: XW v5.6.9/v6.0)
> Ubiquiti Networks PBE-M5-400-ISO (Version: XW v5.6.9/v6.0)
> Ubiquiti Networks PBE-M5-620 (Version: XW v5.6.9/v6.0)
> Ubiquiti Networks R5AC-Lite (Version: XC v7.2.4)
> Ubiquiti Networks R5AC-PRISM (Version: XC v7.2.4)
> Ubiquiti Networks R5AC-PTMP (Version: XC v7.2.4)
> Ubiquiti Networks R5AC-PTP (Version: XC v7.2.4)
> Ubiquiti Networks RM2-Ti (Version: XW v5.6.9/v6.0)
> Ubiquiti Networks RM5-Ti (Version: XW v5.6.9/v6.0)
> 
> 
> Vendor contact timeline:
> ------------------------
> 2016-11-22: Contacting vendor via HackerOne
> 2016-11-22: Vendor marks it as duplicate to: #143447
> 2016-11-23: Asking the vendor for a patch.
> 2016-11-25: Vendor responds that #143447 should be fixed for next stable
>             release.
> 2016-11-25: Asking for an estimated time frame for a fix of the
>             vulnerability.
> 2016-11-25: Vendor can not give a precise date.
> 2017-01-10: Asking the vendor for a patch and defined release of the
>             advisory for 2017-01-16 (concerning the SEC Consult
>             disclosure policy). Shifted the deadline to 2017-01-30
>             due to Christmas holidays; No answer.
> 2017-01-17: Asked for an update.
> 2017-01-17: Vendor excuses for the delay and responds that they got a
>             similar report but our PoC does not work.
> 2017-01-18: Explained PoC again
> 2017-01-19: Vendor responds that they received a similar report and
>             assumed a duplication. They state that our PoC never worked
>             and did not make any sense.
> 2017-01-20: Uploaded a video which shows a live command injection at an
>             up-to-date (v6.0) device and posted an assumed reason why
>             it's possible to exploit
> 2017-01-21: Vendor responds that they were able to reproduce it now. They
>             also posted the real cause.
> 2017-01-24: Asking whether the vulnerability is a duplicate to #143447.
> 2017-01-24: Vendor responds that it is no duplicate and that this
>             issue will be fixed as soon as possible.
> 2017-02-03: Asking for a status update; No answer.
> 2017-02-21: Asking for a status update; No answer.
> 2017-03-01: Informing the vendor that the release of the advisory is set to
>             2017-03-16; No answer.
> 2017-03-16: Public advisory release
> 
> 
> Solution:
> ---------
> There is no fix available from the vendor.
> 
> 
> Workaround:
> -----------
> Restrict user and network access.
> 
> 
> Advisory URL:
> -------------
> https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
> 
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> SEC Consult Vulnerability Lab
> 
> SEC Consult
> Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
> Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
> 
> About SEC Consult Vulnerability Lab
> The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
> ensures the continued knowledge gain of SEC Consult in the field of network
> and application security to stay ahead of the attacker. The SEC Consult
> Vulnerability Lab supports high-quality penetration testing and the
> evaluation
> of new offensive and defensive technologies for our customers. Hence our
> customers obtain the most current information about vulnerabilities and valid
> recommendation about the risk profile of new technologies.
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Interested to work with the experts of SEC Consult?
> Send us your application https://www.sec-consult.com/en/Career.htm
> 
> Interested in improving your cyber security with the experts of SEC Consult?
> Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Mail: research at sec-consult dot com
> Web: https://www.sec-consult.com
> Blog: http://blog.sec-consult.com
> Twitter: https://twitter.com/sec_consult
> 
> EOF T. Weber / @2017
> 
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
> 

-- 
Got Linux? Used on smartphones, tablets, desktop computers, media
centers, and servers by kids, Moms, Dads, grandparents and IT
professionals.