Cross-Site Scripting (XSS) issue in multiple Ubiquiti Networks products

Project Description

The Ubiquiti Networks products EP-R6, ER-X und ER-X-SFP with firmware v1.9.1 are affected by a cross site scripting vulnerability. Malicious JavaScript code can be executed in the browser of the user and cookies can be stolen in order to take over the device.


 

Vendor description

“Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets.”

Source: http://ir.ubnt.com/

 

Business recommendation

SEC Consult recommends not to use this device in production until a thorough security review has been performed by security professionals and all
identified issues have been resolved.

 

Vulnerability overview/description

1) Reflected Cross Site Scripting (XSS) in Internet Explorer This vulnerability can be exploited by deactivating or bypassing the integrated XSS-filter of the Internet Explorer.

A reflected cross site scripting vulnerability was identified because of an initialization error in “<IP>/files/index/”. An attacker can exploit this vulnerability by tricking a victim to visit a malicious website. The attacker is able to hijack the session of the attacked user. If the user is currently not logged in, the injected JavaScript code can start a bruteforce attack (for example, with the default credentials ubnt:ubnt). After a session has been established, the code has full control over the system via the CLI feature which is basically a shell wrapper. By abusing this vulnerability an attacker can open ports on the router or start a reverse shell.

 

Proof of concept

1) Reflected Cross Site Scripting (XSS) in Internet Explorer

The following URL can be used as PoC:
https://192.168.1.1/files/index/0/aaa<svg><script>alert(1)<br>

The characters “=” and “/” are not allowed in this injection.

This restriction can be bypassed in Internet Explorer via the use of a SVG and BR tag.

Since “/” is not allowed the <script> tag can’t be closed and therefore browsers will not execute the supplied code. Moreover, event handlers (e.g. <svg onload=alert(1)>) can’t be used because of the “=” restriction. However, Internet Explorer can be tricked to parse the script via the use of the SVG and BR tags.

It can be assumed that similar tricks exit for other browsers.

Vulnerable / tested versions

EdgeRouter X SFP – Firmware v1.9.1

Vendor contact timeline

2017-04-04: Contacting vendor through HackerOne. Vendor sets status to “Triaged”.
2017-04-24: Asking for a update.
2017-04-25: Vendor responds that the fix is available in firmware v1.9.1.1.
2017-05-05: Found the update on the website of the vendor. It was available since 2017-04-28.
2017-05-15: Contacted vendor via e-mail and set the publication date to 2017-07-24.
2017-07-24: Public release of security advisory

 

Solution

Upgrade to firmware v1.9.1.1 or later.

 

Workaround

None

 

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

 

EOF R. Freingruber, T. Weber / @2017

 

Project Details

  • TitleSEC Consult Vulnerability Lab Security Advisory < 20170724-0 > Cross-Site Scripting (XSS)
  • ProductUbiquiti Networks EP-R6, ER-X, ER-X-SFP
  • Vulnerable versionFirmware v1.9.1
  • Fixed versionFirmware v1.9.1.1
  • CVE number--
  • Impact Medium
  • Homepagehttps://www.ubnt.com
  • Found 2017-04-04
  • ByR. Freingruber, T. Weber (Office Vienna) SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back