![\"Ubiquiti](\"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2017\/03\/Ubiquiti-Wi-Fi-Gear-Hackable-Via-1997-PHP-Version-640x400.jpg\")
<\/p>\nWe actually use Ubiquiti Wi-Fi Gear and have found it pretty good, I didn’t realise their security was so whack and they were using PHP 2.0.1 from 1997! In this case a malicious URL can inject commands into a Ubiquiti device which surprise, surprise, runs the web service as root.<\/p>\n
<\/p>\n
Apparently, they also got scammed for $46.7 MILLION dollars by some invoice scammer in 2015 – not the sharpest tools in the shed for sure. And the way the app is engineered is so far from best practise I don’t think it’s even read a security 101 on it’s way to production.<\/p>\n
Security researchers have gone public with details of an exploitable flaw in Ubiquiti’s wireless networking gear \u2013 after the manufacturer allegedly failed to release firmware patches.<\/p>\n
Austrian-based bods at SEC Consult Vulnerability Lab found the programming cockup in November and contacted Ubiquiti \u2013 based in San Jose, California \u2013 via its HackerOne-hosted bug bounty program. Ubiquiti first denied this was a new bug, then accepted it, then stalled issuing a patch, we’re told. After repeated warnings, SEC has now shed light on the security shortcomings.<\/p>\n
Essentially, if you can trick someone using a Ubiquiti gateway or router to click on a malicious link, or embed the URL in a webpage they visit, you can inject commands into the vulnerable device. The networking kit uses a web interface to administer it, and has zero CSRF protection. This means attackers can perform actions as logged-in users.<\/p>\n
A hacker can exploit this blunder to open a reverse shell to connect to a Ubiquiti router and gain root access \u2013 yes, the builtin web server runs as root. SEC claims that once inside, the attacker can then take over the entire network. And you can thank a very outdated version of PHP included with the software, we’re told.<\/p><\/blockquote>\n