Ubiquiti Wi-Fi Gear Hackable Via 1997 PHP Version

Outsmart Malicious Hackers


We actually use Ubiquiti Wi-Fi Gear and have found it pretty good, I didn’t realise their security was so whack and they were using PHP 2.0.1 from 1997! In this case a malicious URL can inject commands into a Ubiquiti device which surprise, surprise, runs the web service as root.

Ubiquiti Wi-Fi Gear Hackable Via 1997 PHP Version

Apparently, they also got scammed for $46.7 MILLION dollars by some invoice scammer in 2015 – not the sharpest tools in the shed for sure. And the way the app is engineered is so far from best practise I don’t think it’s even read a security 101 on it’s way to production.

Security researchers have gone public with details of an exploitable flaw in Ubiquiti’s wireless networking gear – after the manufacturer allegedly failed to release firmware patches.

Austrian-based bods at SEC Consult Vulnerability Lab found the programming cockup in November and contacted Ubiquiti – based in San Jose, California – via its HackerOne-hosted bug bounty program. Ubiquiti first denied this was a new bug, then accepted it, then stalled issuing a patch, we’re told. After repeated warnings, SEC has now shed light on the security shortcomings.

Essentially, if you can trick someone using a Ubiquiti gateway or router to click on a malicious link, or embed the URL in a webpage they visit, you can inject commands into the vulnerable device. The networking kit uses a web interface to administer it, and has zero CSRF protection. This means attackers can perform actions as logged-in users.

A hacker can exploit this blunder to open a reverse shell to connect to a Ubiquiti router and gain root access – yes, the builtin web server runs as root. SEC claims that once inside, the attacker can then take over the entire network. And you can thank a very outdated version of PHP included with the software, we’re told.


To be fair, Ubiquiti Wi-Fi Gear is pretty cheap, has good specs and generally works really well. Other than in this case, when it gets mercilessly hacked and some bad actor takes over your entire organisation.

That clearly would not be good.

“A command injection vulnerability was found in ‘pingtest_action.cgi.’ This script is vulnerable since it is possible to inject a value of a variable. One of the reasons for this behavior is the used PHP version (PHP/FI 2.0.1 from 1997),” SEC’s advisory today states.

“The vulnerability can be exploited by luring an attacked user to click on a crafted link or just surf on a malicious website. The whole attack can be performed via a single GET-request and is very simple since there is no CSRF protection.”

The SEC team tested the attack against four Ubiquiti devices, and believes another 38 models are similarly vulnerable. All the affected equipment, according to SEC, is listed in the above advisory. Proof-of-concept exploits were not published as there is still no patch available for the insecure firmware.

Ubiquiti had no comment at time of publication.

This isn’t the first time Ubiquiti customers have been left with an unfixed security cockup by their supplier. A previous flaw was finally patched by a third party back in 2015 after the company failed to fix it in time, despite proof of concept code being in wide circulation.

The flaw is not patched and sadly Ubiquiti hasn’t commented about it nor issued any kind of statement regarding the expectations of its users. It’s pretty likely all Ubiquiti devices are vulnerable to this, so if you use them – be aware.

There’s enough details in this disclosure for a determined attacker to build their own zero-day.

The full advisory is here: Authenticated Command Injection

UPDATE: Only certain AirOS versions are vulnerable this means UniFi, EdgeMAX and AmpliFi products are not affected.This issue is limited to AirOS and associated products like toughswitch, airgateway etc) and patches have already been released by Ubiquiti as of today.

Source: The Register

Posted in: Exploits/Vulnerabilities, Hardware Hacking, Wireless Hacking


Latest Posts:


DAST vs SAST - Dynamic Application Security Testing vs Static DAST vs SAST – Dynamic Application Security Testing vs Static
In security testing, much like most things technical there are two very contrary methods, Dynamic Application Security Testing or DAST and Static or SAST.
Cr3dOv3r - Credential Reuse Attack Tool Cr3dOv3r – Credential Reuse Attack Tool
Cr3dOv3r is a fairly simple Python-based set of functions that carry out the prelimary work as a credential reuse attack tool.
Mr.SIP - SIP Attack And Audit Tool Mr.SIP – SIP Attack And Audit Tool
Mr.SIP was developed in Python as a SIP Attack and audit tool which can emulate SIP-based attacks. Originally it was developed to be used in academic work.
Uber Paid Hacker To Hide 57 Million User Data Breach Uber Paid Hackers To Hide 57 Million User Data Breach
Uber is not known for it's high level of ethics, but it turns out Uber paid hackers to not go public with the fact they'd breached 57 Million accounts.
RDPY - RDP Security Tool For Hacking Remote Desktop Protocol RDPY – RDP Security Tool For Hacking Remote Desktop Protocol
RDPY is an RDP Security Tool in Twisted Python with RDP Man in the Middle proxy support which can record sessions and Honeypot functionality.
Terabytes Of US Military Social Media Spying S3 Data Exposed Terabytes Of US Military Social Media Spying S3 Data Exposed
Once again the old, default Amazon AWS S3 settings are catching people out, the US Military has left terabytes of social media spying S3 data exposed.


6 Responses to Ubiquiti Wi-Fi Gear Hackable Via 1997 PHP Version

  1. Uncle Joe March 18, 2017 at 6:07 am #

    You need to do some more careful reporting. The SEC document doesn’t apply to the UniFi Access Point products, which do not run PHP. This applies to other Ubiquiti hardware that have a built in Web UI, including the AirFiber & ToughSwitch products. Full list of potentially compromised devices:

    https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170316-0_Ubiquiti_Networks_authenticated_command_injection_v10.txt

     

    • Darknet March 18, 2017 at 12:06 pm #

      Thanks for that, added to the article.

  2. danofsatx March 18, 2017 at 9:28 am #

    Did you bother to even check with Ubiquity?

     

    https://community.ubnt.com/t5/airMAX-General-Discussion/Unpatched-hole-in-AirOS/td-p/1868447/page/4

  3. KB March 18, 2017 at 11:14 am #

    I don’t think your conjecture is accurate.

    “It’s pretty likely all Ubiquiti devices are vulnerable to this, so if you use them – be aware.”

    According to Ubiquiti, only AirOS products are affected. Unifi and Edge products are unaffected, though updating to the latest firmware is recommended regardless.

    I would recommend reading their latest reports and updated the article, as some of it is needlessly alarming.

    • Darknet March 18, 2017 at 12:04 pm #

      Yah totally agree, only a certain sub-section of AirOS devices were vulnerable and a patch has now been released. I’ve updated the article to better reflect the current situation – thanks.