lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1789072598.20161003090316@sloop.net>
Date: Mon, 3 Oct 2016 09:03:16 -0700
From: Gregory Sloop <gregs@...op.net>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Critical Vulnerability in Ubiquiti UniFi

So, while I've not attempted to reproduce the "exploit"* POC below, I have some observations/questions.

The exploit, if I'm reading things correctly depends on MongoDB being configured to accept remote database connections. Yet, at least on Ubuntu [the vendor recommended Linux distro], it's only configured to accept connections from 127.0.0.1. [bind_ip = 127.0.0.1] 

So, it's not a remote exploit - in at least this case. [I suspect that's the usual config elsewhere too, so I suspect it's fair to say, it's not remote in virtually all cases.]

I suppose it means that if you have a valid account on the same box as Unifi+MongoDB is installed on, you could get admin in Unifi. [Which admittedly sucks.] 

But given the fairly limited nature of the "bug"* a CVSS score of 8.8 seems excessive. 
[*I think allowing remote DB access would break the security model the app is designed to run in, and so the results when you allow remote DB access are going to be ugly - that seems a given, and which might also explain Ubiquiti's response.]

But perhaps I misunderstand something/everything. If so, I'm glad to hear the explanation.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ