Cross-site Scripting (XSS) Issue In Multiple Ubiquiti Networks Products

Title

SEC Consult Vulnerability Lab Security Advisory < 20170724-0 > Cross-Site Scripting (XSS)

Product

Ubiquiti Networks EP-R6, ER-X, ER-X-SFP

Vulnerable Version

Firmware v1.9.1

Fixed Version

Firmware v1.9.1.1

CVE Number

-

Impact

medium

Found

04.04.2017

By

R. Freingruber, T. Weber (Office Vienna) SEC Consult Vulnerability Lab

The Ubiquiti Networks products EP-R6, ER-X und ER-X-SFP with firmware v1.9.1 are affected by a cross site scripting vulnerability. Malicious JavaScript code can be executed in the browser of the user and cookies can be stolen in order to take over the device.

Vendor Description

“Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets.”

Source: http://ir.ubnt.com/

 

Business Recommendation

SEC Consult recommends not to use this device in production until a thorough security review has been performed by security professionals and all
identified issues have been resolved.

 

Vulnerability Overview/ Description

1) Reflected Cross Site Scripting (XSS) in Internet Explorer This vulnerability can be exploited by deactivating or bypassing the integrated XSS-filter of the Internet Explorer.

A reflected cross site scripting vulnerability was identified because of an initialization error in “<IP>/files/index/”. An attacker can exploit this vulnerability by tricking a victim to visit a malicious website. The attacker is able to hijack the session of the attacked user. If the user is currently not logged in, the injected JavaScript code can start a bruteforce attack (for example, with the default credentials ubnt:ubnt). After a session has been established, the code has full control over the system via the CLI feature which is basically a shell wrapper. By abusing this vulnerability an attacker can open ports on the router or start a reverse shell.

 

Proof Of Concept

1) Reflected Cross Site Scripting (XSS) in Internet Explorer

The following URL can be used as PoC:
https:// 192.168.1.1/files/index/0/aaa<svg><script>alert(1)<br>

The characters “=” and “/” are not allowed in this injection.

This restriction can be bypassed in Internet Explorer via the use of a SVG and BR tag.

Since “/” is not allowed the <script> tag can’t be closed and therefore browsers will not execute the supplied code. Moreover, event handlers (e.g. <svg onload=alert(1)>) can’t be used because of the “=” restriction. However, Internet Explorer can be tricked to parse the script via the use of the SVG and BR tags.

It can be assumed that similar tricks exit for other browsers.

Vulnerable / Tested Versions

EdgeRouter X SFP – Firmware v1.9.1

Vendor Contact Timeline

2017-04-04: Contacting vendor through HackerOne. Vendor sets status to “Triaged”.
2017-04-24: Asking for a update.
2017-04-25: Vendor responds that the fix is available in firmware v1.9.1.1.
2017-05-05: Found the update on the website of the vendor. It was available since 2017-04-28.
2017-05-15: Contacted vendor via e-mail and set the publication date to 2017-07-24.
2017-07-24: Public release of security advisory
   
 

Solution

Upgrade to firmware v1.9.1.1 or later.

 

Workaround

None

 

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

 

EOF R. Freingruber, T. Weber / @2017

 

Contact

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult? Contact our local offices.