Cross-site Scripting (XSS) Issue In Multiple Ubiquiti Networks Products

Title

SEC Consult Vulnerability Lab Security Advisory < 20170724-0 > Cross-Site Scripting (XSS)

Product

Ubiquiti Networks EP-R6, ER-X, ER-X-SFP

Vulnerable Version

Firmware v1.9.1

Fixed Version

Firmware v1.9.1.1

CVE Number

-

Impact

medium

Homepage

https://www.ubnt.com

Found

04.04.2017

By

R. Freingruber, T. Weber (Office Vienna) SEC Consult Vulnerability Lab

The Ubiquiti Networks products EP-R6, ER-X und ER-X-SFP with firmware v1.9.1 are affected by a cross site scripting vulnerability. Malicious JavaScript code can be executed in the browser of the user and cookies can be stolen in order to take over the device.

Vendor Description

“Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets.”

Source: http://ir.ubnt.com/

 

Business Recommendation

SEC Consult recommends not to use this device in production until a thorough security review has been performed by security professionals and all
identified issues have been resolved.

 

Vulnerability Overview/ Description

1) Reflected Cross Site Scripting (XSS) in Internet Explorer This vulnerability can be exploited by deactivating or bypassing the integrated XSS-filter of the Internet Explorer.

A reflected cross site scripting vulnerability was identified because of an initialization error in “<IP>/files/index/”. An attacker can exploit this vulnerability by tricking a victim to visit a malicious website. The attacker is able to hijack the session of the attacked user. If the user is currently not logged in, the injected JavaScript code can start a bruteforce attack (for example, with the default credentials ubnt:ubnt). After a session has been established, the code has full control over the system via the CLI feature which is basically a shell wrapper. By abusing this vulnerability an attacker can open ports on the router or start a reverse shell.

 

Proof Of Concept

1) Reflected Cross Site Scripting (XSS) in Internet Explorer

The following URL can be used as PoC:
https:// 192.168.1.1/files/index/0/aaa<svg><script>alert(1)<br>

The characters “=” and “/” are not allowed in this injection.

This restriction can be bypassed in Internet Explorer via the use of a SVG and BR tag.

Since “/” is not allowed the <script> tag can’t be closed and therefore browsers will not execute the supplied code. Moreover, event handlers (e.g. <svg onload=alert(1)>) can’t be used because of the “=” restriction. However, Internet Explorer can be tricked to parse the script via the use of the SVG and BR tags.

It can be assumed that similar tricks exit for other browsers.

Vulnerable / Tested Versions

EdgeRouter X SFP – Firmware v1.9.1

Zurück