Ubiquiti Networks: Remote Code Execution at http://tw.corp.ubnt.com

2017-09-17T16:21:09
ID H1:269066
Type hackerone
Reporter hassham
Modified 2017-11-29T15:01:21

Description

The researcher found a Command Injection in tw.corp.ubnt.com. While hunting i came across a host of Ubiquiti Networks tw.corp.ubnt.com , when i browsed to http://tw.corp.ubnt.com there was Dir listing enabled which contained various sensitive information. This was reported to Ubiquiti Team.

However I decided to look further in the Directories and files which were being leaked, and came across an endpoint /tools/ntpasswd.php . This endpoint had functionality of allowing users for converting clear text passwords into NT and LM hashes.

After simple fuzzing it was discovered that the end point is vulnerable to Command Injection bug and was reported to Ubiquiti team.

PS: One of the simplest bug found.