SEC Consult Vulnerability Lab Security Advisory < 20170724-0 > ======================================================================= title: Cross-Site Scripting (XSS) product: Ubiquiti Networks EP-R6, ER-X, ER-X-SFP vulnerable version: Firmware v1.9.1 fixed version: Firmware v1.9.1.1 CVE number: impact: Medium homepage: https://www.ubnt.com found: 2017-04-04 by: R. Freingruber, T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets." Source: http://ir.ubnt.com/ Business recommendation: ------------------------ SEC Consult recommends not to use this device in production until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: ----------------------------------- 1) Reflected Cross Site Scripting (XSS) in Internet Explorer This vulnerability can be exploited by deactivating or bypassing the integrated XSS-filter of the Internet Explorer. A reflected cross site scripting vulnerability was identified because of an initialization error in "<IP>/files/index/". An attacker can exploit this vulnerability by tricking a victim to visit a malicious website. The attacker is able to hijack the session of the attacked user. If the user is currently not logged in, the injected JavaScript code can start a bruteforce attack (for example, with the default credentials ubnt:ubnt). After a session has been established, the code has full control over the system via the CLI feature which is basically a shell wrapper. By abusing this vulnerability an attacker can open ports on the router or start a reverse shell. Proof of concept: ----------------- 1) Reflected Cross Site Scripting (XSS) in Internet Explorer The following URL can be used as PoC: https://192.168.1.1/files/index/0/aaa<svg><script>alert(1)<br> The characters "=" and "/" are not allowed in this injection. This restriction can be bypassed in Internet Explorer via the use of a SVG and BR tag. Since "/" is not allowed the <script> tag can't be closed and therefore browsers will not execute the supplied code. Moreover, event handlers (e.g. <svg onload=alert(1)>) can't be used because of the "=" restriction. However, Internet Explorer can be tricked to parse the script via the use of the SVG and BR tags. It can be assumed that similar tricks exit for other browsers. Vulnerable / tested versions: ----------------------------- EdgeRouter X SFP - Firmware v1.9.1 Vendor contact timeline: ------------------------ 2017-04-04: Contacting vendor through HackerOne. Vendor sets status to "Triaged". 2017-04-24: Asking for a update. 2017-04-25: Vendor responds that the fix is available in firmware v1.9.1.1. 2017-05-05: Found the update on the website of the vendor. It was available since 2017-04-28. 2017-05-15: Contacted vendor via e-mail and set the publication date to 2017-07-24. 2017-07-24: Public release of security advisory Solution: --------- Upgrade to firmware v1.9.1.1 or later. Workaround: ----------- None. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF R. Freingruber, T. Weber / @2017
Attachment:
signature.asc
Description: OpenPGP digital signature