Ubiquiti Networks: [EdgeSwitch] Web GUI command injection as root with Privilege-1 and Privilege-15 users

2017-01-12T22:20:19
ID H1:197958
Type hackerone
Reporter phenix
Modified 2017-07-21T09:51:32

Description

The researcher found a privilege escalation in the EdgeSwitch prior to version 1.7.1, an CGI script don't fully sanitize the user input resulting in local commands execution, allowing an operator user (Privilege-1) to escalate privileges and became administrator (Privilege-15). OS command injection in the Web interface in Ubiquiti Networks EdgeSwitch prior to version 1.7.1 allows a limited privileges operator to escalate his privileges to root via crafting a specific HTTP request to a CGI script while logged in.