Ubiquiti Wi-Fi Gear Hackable Via 1997 PHP Version

The New Acunetix V12 Engine


We actually use Ubiquiti Wi-Fi Gear and have found it pretty good, I didn’t realise their security was so whack and they were using PHP 2.0.1 from 1997! In this case a malicious URL can inject commands into a Ubiquiti device which surprise, surprise, runs the web service as root.

Ubiquiti Wi-Fi Gear Hackable Via 1997 PHP Version

Apparently, they also got scammed for $46.7 MILLION dollars by some invoice scammer in 2015 – not the sharpest tools in the shed for sure. And the way the app is engineered is so far from best practise I don’t think it’s even read a security 101 on it’s way to production.

Security researchers have gone public with details of an exploitable flaw in Ubiquiti’s wireless networking gear – after the manufacturer allegedly failed to release firmware patches.

Austrian-based bods at SEC Consult Vulnerability Lab found the programming cockup in November and contacted Ubiquiti – based in San Jose, California – via its HackerOne-hosted bug bounty program. Ubiquiti first denied this was a new bug, then accepted it, then stalled issuing a patch, we’re told. After repeated warnings, SEC has now shed light on the security shortcomings.

Essentially, if you can trick someone using a Ubiquiti gateway or router to click on a malicious link, or embed the URL in a webpage they visit, you can inject commands into the vulnerable device. The networking kit uses a web interface to administer it, and has zero CSRF protection. This means attackers can perform actions as logged-in users.

A hacker can exploit this blunder to open a reverse shell to connect to a Ubiquiti router and gain root access – yes, the builtin web server runs as root. SEC claims that once inside, the attacker can then take over the entire network. And you can thank a very outdated version of PHP included with the software, we’re told.


To be fair, Ubiquiti Wi-Fi Gear is pretty cheap, has good specs and generally works really well. Other than in this case, when it gets mercilessly hacked and some bad actor takes over your entire organisation.

That clearly would not be good.

“A command injection vulnerability was found in ‘pingtest_action.cgi.’ This script is vulnerable since it is possible to inject a value of a variable. One of the reasons for this behavior is the used PHP version (PHP/FI 2.0.1 from 1997),” SEC’s advisory today states.

“The vulnerability can be exploited by luring an attacked user to click on a crafted link or just surf on a malicious website. The whole attack can be performed via a single GET-request and is very simple since there is no CSRF protection.”

The SEC team tested the attack against four Ubiquiti devices, and believes another 38 models are similarly vulnerable. All the affected equipment, according to SEC, is listed in the above advisory. Proof-of-concept exploits were not published as there is still no patch available for the insecure firmware.

Ubiquiti had no comment at time of publication.

This isn’t the first time Ubiquiti customers have been left with an unfixed security cockup by their supplier. A previous flaw was finally patched by a third party back in 2015 after the company failed to fix it in time, despite proof of concept code being in wide circulation.

The flaw is not patched and sadly Ubiquiti hasn’t commented about it nor issued any kind of statement regarding the expectations of its users. It’s pretty likely all Ubiquiti devices are vulnerable to this, so if you use them – be aware.

There’s enough details in this disclosure for a determined attacker to build their own zero-day.

The full advisory is here: Authenticated Command Injection

UPDATE: Only certain AirOS versions are vulnerable this means UniFi, EdgeMAX and AmpliFi products are not affected.This issue is limited to AirOS and associated products like toughswitch, airgateway etc) and patches have already been released by Ubiquiti as of today.

Source: The Register

Posted in: Exploits/Vulnerabilities, Hardware Hacking, Wireless Hacking


Latest Posts:


Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.


6 Responses to Ubiquiti Wi-Fi Gear Hackable Via 1997 PHP Version

  1. Uncle Joe March 18, 2017 at 6:07 am #

    You need to do some more careful reporting. The SEC document doesn’t apply to the UniFi Access Point products, which do not run PHP. This applies to other Ubiquiti hardware that have a built in Web UI, including the AirFiber & ToughSwitch products. Full list of potentially compromised devices:

    https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170316-0_Ubiquiti_Networks_authenticated_command_injection_v10.txt

     

    • Darknet March 18, 2017 at 12:06 pm #

      Thanks for that, added to the article.

  2. danofsatx March 18, 2017 at 9:28 am #

    Did you bother to even check with Ubiquity?

     

    https://community.ubnt.com/t5/airMAX-General-Discussion/Unpatched-hole-in-AirOS/td-p/1868447/page/4

  3. KB March 18, 2017 at 11:14 am #

    I don’t think your conjecture is accurate.

    “It’s pretty likely all Ubiquiti devices are vulnerable to this, so if you use them – be aware.”

    According to Ubiquiti, only AirOS products are affected. Unifi and Edge products are unaffected, though updating to the latest firmware is recommended regardless.

    I would recommend reading their latest reports and updated the article, as some of it is needlessly alarming.

    • Darknet March 18, 2017 at 12:04 pm #

      Yah totally agree, only a certain sub-section of AirOS devices were vulnerable and a patch has now been released. I’ve updated the article to better reflect the current situation – thanks.