SEC Consult SA-20170724-0 :: Cross-Site Scripting (XSS) issue in multiple Ubiquiti Networks products

--gOWLeFO2PssGdhPFbD9jWkT9hQRAsLEpp
Content-Type: multipart/mixed; boundary="qXi7tLSEBg27V31g0kTAGoNMS8vfnBEcm";
 protected-headers="v1"
From: SEC Consult Vulnerability Lab <research@sec-consult.com>
To: bugtraq@securityfocus.com, fulldisclosure@seclists.org
Message-ID: <d274651c-b17e-8c35-4f7c-13ecb097e4ee@sec-consult.com>
Subject: SEC Consult SA-20170724-0 :: Cross-Site Scripting (XSS) issue in
 multiple Ubiquiti Networks products

--qXi7tLSEBg27V31g0kTAGoNMS8vfnBEcm
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

SEC Consult Vulnerability Lab Security Advisory < 20170724-0 >
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
              title: Cross-Site Scripting (XSS)
            product: Ubiquiti Networks EP-R6, ER-X, ER-X-SFP
 vulnerable version: Firmware v1.9.1
      fixed version: Firmware v1.9.1.1
         CVE number:
             impact: Medium
           homepage: https://www.ubnt.com
              found: 2017-04-04
                 by: R. Freingruber, T. Weber (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Montreal - Moscow
                     Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Vendor description:
-------------------
"Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets."

Source: http://ir.ubnt.com/


Business recommendation:
------------------------
SEC Consult recommends not to use this device in production until a thoro=
ugh
security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
-----------------------------------
1) Reflected Cross Site Scripting (XSS) in Internet Explorer
This vulnerability can be exploited by deactivating or bypassing the
integrated XSS-filter of the Internet Explorer.

A reflected cross site scripting vulnerability was identified because of =
an
initialization error in "<IP>/files/index/". An attacker can exploit this=

vulnerability by tricking a victim to visit a malicious website. The atta=
cker
is able to hijack the session of the attacked user. If the user is curren=
tly
not logged in, the injected JavaScript code can start a bruteforce attack=

(for example, with the default credentials ubnt:ubnt). After a session ha=
s
been established, the code has full control over the system via the CLI f=
eature
which is basically a shell wrapper. By abusing this vulnerability an atta=
cker
can open ports on the router or start a reverse shell.

Proof of concept:
-----------------
1) Reflected Cross Site Scripting (XSS) in Internet Explorer
The following URL can be used as PoC:

https://192.168.1.1/files/index/0/aaa<svg><script>alert(1)<br>

The characters "=3D" and "/" are not allowed in this injection.
This restriction can be bypassed in Internet Explorer via the use
of a SVG and BR tag.
Since "/" is not allowed the <script> tag cant be closed and therefore
browsers will not execute the supplied code. Moreover, event handlers
(e.g. <svg onload=3Dalert(1)>) cant be used because of the "=3D" restric=
tion.
However, Internet Explorer can be tricked to parse the script via the use=
 of
the SVG and BR tags.
It can be assumed that similar tricks exit for other browsers.


Vulnerable / tested versions:
-----------------------------
EdgeRouter X SFP - Firmware v1.9.1


Vendor contact timeline:
------------------------
2017-04-04: Contacting vendor through HackerOne. Vendor sets status to
            "Triaged".
2017-04-24: Asking for a update.
2017-04-25: Vendor responds that the fix is available in firmware
            v1.9.1.1.
2017-05-05: Found the update on the website of the vendor. It was
            available since 2017-04-28.
2017-05-15: Contacted vendor via e-mail and set the publication date
            to 2017-07-24.
2017-07-24: Public release of security advisory

Solution:
---------
Upgrade to firmware v1.9.1.1 or later.


Workaround:
-----------
None.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. I=
t
ensures the continued knowledge gain of SEC Consult in the field of netwo=
rk
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evalu=
ation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and v=
alid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consu=
lt?
Contact our local offices https://www.sec-consult.com/en/About/Contact.ht=
m
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF R. Freingruber, T. Weber / @2017


--qXi7tLSEBg27V31g0kTAGoNMS8vfnBEcm--

--gOWLeFO2PssGdhPFbD9jWkT9hQRAsLEpp
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZdk2pAAoJEC0t17XG7og/TmoQAKOghBLmO+x0MKENhdOY63we
NwyiFqKia7JE3Ds3Sa0pBITxdtfjXFVvSSGf4jswf5b3UynNSaEf9t7VrGHiUK7r
ZBLHIucUAVSoEhLP+UZ5Pl3Y+9ZqMZxf71tLaN+0oyW72MxjNX0XvXOV3wPxcAoM
8XLiLFViucj1eDLQ4QFr+eg5YWpKIBSt2sW0+WYDbNug/HXTas85sSdN43HIzl4S
Q3ULz+9PcLrASegTA4U76QoMJEMYdcjJQsPNghG8xgAdvWBP6+3so98M9WQagwYU
uen9S1nR6WLZdSeZ2BbDyv23RGfXJXvp2XMsmY614O9qnP1WvqV0lqHvpSweMXb6
ZYTkOzWtVHwxbxQEtnSRqI/42fc2KgvfLuZ1Od4rRA0P7OhGMDDaBX1XA4IsqL0F
bMcPc1diKIVIozRFu7mW4i4qBmZFCPvLUtSOocPWFpcPItfKHqjHVJaxjItXQaJ9
tnZJ+qngIbQD6dAs2Ofdd8MloC5Vi4H4lQurKZeDJAY0hS5DF9DOdVe9mI7PKxkt
uV0I8ea36F6ogyJ/2HE4VZqNEPwr0a55MBpHHZLvP5kAoQv7e1veEloL6RrrPluY
zvqXUfcy07xrnaJNX7EpHF47BWQTsxrJGwHqiHU55uXmnYiVMwlWYpN9WxAoqFxY
pLZDtlYk8cD7iqA6zXQL
=pfWm
-----END PGP SIGNATURE-----

--gOWLeFO2PssGdhPFbD9jWkT9hQRAsLEpp--