SEC Consult SA-20170316-0 :: Authenticated command injection in multiple Ubiquiti Networks products Mar 16 2017 11:35AM
SEC Consult Vulnerability Lab (research sec-consult com)
SEC Consult Vulnerability Lab Security Advisory < 20170316-0 >
title: Authenticated Command Injection
product: Multiple Ubiquiti Networks products, e.g.
AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M,
AirGrid M2, AirGrid M5, AR, AR-HP, BM2HP, BM2-Ti,
BM5HP, BM5-Ti, LiteStation M5, locoM2, locoM5,
locoM9, M2, M3, M365, M5, M900, NB-2G18, NB-5G22,
NB-5G25, NBM3, NBM365, NBM9, NSM2, NSM3, NSM365,
Power AP N
vulnerable version: v1.3.3 (SW), v5.6.9/v6.0 (XM)
fixed version: -
CVE number: -
impact: Critical
homepage: https://www.ubnt.com
found: 2016-11-22
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich



Vendor description:
"Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets."

Source: http://ir.ubnt.com/

Business recommendation:
SEC Consult recommends not to use this product in a production environment
until a thorough security review has been performed by security
professionals and all identified issues have been resolved.

Vulnerability overview/description:
1) Command Injection in Admin Interface
A command injection vulnerability was found in "pingtest_action.cgi".
This script is vulnerable since it is possible to inject a value of a
variable. One of the reasons for this behaviour is the used PHP version
(PHP/FI 2.0.1 from 1997).

The vulnerability can be exploited by luring an attacked user to click
on a crafted link or just surf on a malicious website. The whole attack
can be performed via a single GET-request and is very simple since there
is no CSRF protection. See our other advisory published in January 2017:

An attacker can open a port binding or reverse shell to connect to the
device and is also able to change the "passwd" since the web service
runs with root privileges!

Furthermore, low privileged read-only users, which can be created in the web
interface, are also able to perform this attack.

If the Ubiquiti device acts as router or even as firewall, the attacker
can take over the whole network by exploiting this vulnerability.

Proof of concept:
1) Command Injection in Admin Interface
The following link can be used to open a reverse shell to the attacker's
IP address. There are two possibilities for the different firmware
Reverse root shell - firmware: v1.3.3 (SW)
[ PoC removed - no patch available ]

Reverse root shell - firmware: v5.6.9/v6.0 (XM)
[ PoC removed - no patch available ]

A video is available here: https://youtu.be/oU8GNeP_Aps

Vulnerable / tested versions:
The following devices and firmware versions have been tested/verified:
TS-8-PRO - v1.3.3 (SW)
(Rocket) M5 - v5.6.9/v6.0 (XM)
(PicoStationM2HP) PICOM2HP - v5.6.9/v6.0 (XM)
(NanoStationM5) NSM5 - v5.6.9/v6.0 (XM)

Based on information embedded in the firmware of other Ubiquiti products
gathered from our IoT Inspector tool we believe the following devices are
affected as well:

Ubiquiti Networks AF24 (Version: AF24 v3.2)
Ubiquiti Networks AF24HD (Version: AF24 v3.2)
Ubiquiti Networks AF-2X (Version: AF2X v3.2 )
Ubiquiti Networks AF-3X (Version: AF3X v3.2)
Ubiquiti Networks AF5 (Version: AF5 v3.2)
Ubiquiti Networks AF5U (Version: AF5 v3.2)
Ubiquiti Networks AF-5X (Version: AF5X v3.2.1)
Ubiquiti Networks AG-PRO-INS (Version: AirGWP v1.1.7)
Ubiquiti Networks airGateway (Version: AirGW v1.1.7)
Ubiquiti Networks airGateway-LR (Version: AirGW v1.1.7)
Ubiquiti Networks AMG-PRO (Version: AirGWP v1.1.7)
Ubiquiti Networks LBE-5AC-16-120 (Version: WA v7.2.4)
Ubiquiti Networks LBE-5AC-23 (Version: WA v7.2.4)
Ubiquiti Networks LBE-M5-23 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks NBE-5AC-16 (Version: WA v7.2.4)
Ubiquiti Networks NBE-5AC-19 (Version: XC v7.2.4)
Ubiquiti Networks NBE-M2-13 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks NBE-M5-16 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks NBE-M5-19 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-5AC-300 (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-300-ISO (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-400 (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-400-ISO (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-500 (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-500-ISO (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-620 (Version: XC v7.2.4)
Ubiquiti Networks PBE-M2-400 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-300 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-300-ISO (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-400 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-400-ISO (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-620 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks R5AC-Lite (Version: XC v7.2.4)
Ubiquiti Networks R5AC-PRISM (Version: XC v7.2.4)
Ubiquiti Networks R5AC-PTMP (Version: XC v7.2.4)
Ubiquiti Networks R5AC-PTP (Version: XC v7.2.4)
Ubiquiti Networks RM2-Ti (Version: XW v5.6.9/v6.0)
Ubiquiti Networks RM5-Ti (Version: XW v5.6.9/v6.0)

Vendor contact timeline:
2016-11-22: Contacting vendor via HackerOne
2016-11-22: Vendor marks it as duplicate to: #143447
2016-11-23: Asking the vendor for a patch.
2016-11-25: Vendor responds that #143447 should be fixed for next stable
2016-11-25: Asking for an estimated time frame for a fix of the
2016-11-25: Vendor can not give a precise date.
2017-01-10: Asking the vendor for a patch and defined release of the
advisory for 2017-01-16 (concerning the SEC Consult
disclosure policy). Shifted the deadline to 2017-01-30
due to Christmas holidays; No answer.
2017-01-17: Asked for an update.
2017-01-17: Vendor excuses for the delay and responds that they got a
similar report but our PoC does not work.
2017-01-18: Explained PoC again
2017-01-19: Vendor responds that they received a similar report and
assumed a duplication. They state that our PoC never worked
and did not make any sense.
2017-01-20: Uploaded a video which shows a live command injection at an
up-to-date (v6.0) device and posted an assumed reason why
it's possible to exploit
2017-01-21: Vendor responds that they were able to reproduce it now. They
also posted the real cause.
2017-01-24: Asking whether the vulnerability is a duplicate to #143447.
2017-01-24: Vendor responds that it is no duplicate and that this
issue will be fixed as soon as possible.
2017-02-03: Asking for a status update; No answer.
2017-02-21: Asking for a status update; No answer.
2017-03-01: Informing the vendor that the release of the advisory is set to
2017-03-16; No answer.
2017-03-16: Public advisory release

There is no fix available from the vendor.

Restrict user and network access.

Advisory URL:


SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF T. Weber / @2017

0? *?H?÷
 `?He0? *?H?÷
 ? 0?¯0?? à#Ë?S?­anzTgk!0
 0o1 0 USE10U
 AddTrust AB1&0$U AddTrust External TTP Network1"0 UAddTrust External CA Root0
200530104838Z0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0?"0
ÓJ¶ ?n¥=Ùº»þ¡?©.CRC|¯2PȦOZéØÏ?%?{?è0dæ¤øV?ý*$3?¬Dåi?£FKÂ3Ôé@?°±¬?@¹
µ?:?*S£Û= a<U?ÙNv%!)ú£|qvOîá_éûT?ÛÃ{5R·?Þ"=,0-1Y½R7°3i-CëúÖ¥ñ?wgQ?Ùî'ë¼¥8v?¤©
00U 0DU=0;09 7 5?3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
 ?*n¬UÁ:«?ÅØíÍUóªka+À #?Åfjo±õ´µw^aß}þ³¤??üû[jr
Á?â?ûZBj#!éeÇõÕ»~ê?? bêÑ:,YÅ?3ò8?å¶ézyöJ&ú|?û?0?a0?I +?þ%³`??5T«´0
 0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0
200229235959Z0?W1 0 UAT1
0 U270010UNiederoesterreich10U Wr. Neustadt10U Komarigasse 14/11.0,U
%SEC Consult Unternehmensberatung GmbH1I0GU @Issued through SEC Consult Unternehmensberatung GmbH E-PKI Manag10U Corporate Secure Email1&0$USEC Consult Vulnerability Lab1'0% *?H?÷
 research (at) sec-consult (dot) com0 [email concealed]?"0
?çââ³×p¼¬ÉÓ#ëäoú=1X ÏsÍldhmþ·}jµ?ýySüx??¡%Vl´9«ÖHÍO½Ë Z|¢ò?q4äËg?7ò?ù?t¥Á±å1Pzò¦<*WÒj,?%x?? ä??F ¼ÜpF/*ÛЩk*TÅöb²??ÖӏñÏZ?QP´?wH;qf¢?r5·ÉyhXcü(#1~ ôYS"YÐ`U
?øô¤rP1u^ËØP.ëë?f}SÅäÖ[Hd¥ ¢áorà­ ÔB?{u·@J·²¨°×®6vL±
h:?i -V£?ËLBóa£?à0?Ü0U#0??ak?ᢠªOìgñ£÷´?Áì0U
G?gx.§~¢Òü¥El?%0Uÿ 0 Uÿ00U%0++0FU ?0=0; +²10+0)+https://secure.comodo.net/CPS0]UV0T0R P
omodoca.com0#U0research (at) sec-consult (dot) com0 [email concealed]
ðH§Àz7!]J ºæû¼]¨µX i?òÉ£­©cwSÀ/?­?ÓOÑ:þ Úøw?P[óü¹ÁÒ&©ã?ü-6?L5Y?ù6àòÀõ$Äð?z¼.È?ïNþ±ñ?øK×ÈV ® ¯ä@nÞ9ó¹Rk«*Ò¶èDÞÞ
{Ë­à¦]FϨújRO^pº=õ ?æ?18!??¤q µa=c@2ÞTC?ïþ´4?~-?ø¿À?Hÿ¹¨r.ÁØ ØXW?YÊÆ?á:??ZÔûµ4àÒ2CSq3»?`Û?I?Ö²Ë3gj?ù»º x1?A0?=0°0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0
 `?He ?a0 *?H?÷
 1  *?H?÷
0 *?H?÷
170316113537Z0/ *?H?÷
 1" Ù±?-WIóS¼dTªIþf~Au@Æa?ëø¹tÆ+Z?C0l *?H?÷
 1_0]0  `?He*0  `?He0
(0Á +?71³0°0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0Ã *?H?÷
  1³ °0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0
?¼êÂz?mã]¹×YÙö5QØÅ°E§¶U?}Üy?õJW???!ùûú®?jñ \?3ÂbÔæ3ª ?2ð¹ho?ñ5a³ß?Xò¹Ðý/{ùäR«RX`Ù,J+¯}#?óm?ÝßT}0vÉ

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus