CVE-2014-2226

-
Ubiquiti - UniFi Controller - Admin/root password hash sent via syslog


Misuse case:

An attacker who has access to network traffic between the UniFi controller and the configured syslog server, can retrieve the password hash and use it to access all managed access points, and potentially the UniFi controller as well.  

 Details:  

 If remote logging is enabled on the UniFi controller, the controller sends syslog messages to the configured syslog server. Contained within the syslog messages is the admin password hash that is used by both the UniFi controller, and all managed Access Points.

In the screenshot below, the auth key and the encrypted password are highlighted in yellow.


The password is encrypted using the legacy crypt(1) utility, which uses Traditional DES [128/128 BS SSE2], and can be recovered using John the Ripper:

Note: The salt (and hash) changes each time the message is sent, but the password can always be recovered.

Once you crack the password, you can log into any of the managed access points via SSH. This is actually the format of the password that is used by BusyBox: 


The CVE was assigned as there is no utility (reason) for sending the admin password via syslog messages.

Additional details:


(CVE-2014-2226) - Ubiquiti Networks - UniFi Controller - Admin/root password hash sent via syslog

-----------
Vendor:
-----------
Ubiquiti Networks (http://www.ubnt.com/)

----------------------------------------------
Affected Products/Versions:
----------------------------------------------
UniFi Controller v2.4.6
Note: Previous versions may be affected

-----------------
Description:
-----------------
Title: Admin/Root password hash sent in syslog messages
CVE: CVE-2014-2226
CWE: CWE-319: http://cwe.mitre.org/data/definitions/319.html
Researcher: Seth Art - @sethsec
Detailed writeup (includes screenshots): http://sethsec.blogspot.com/2014/07/cve-2014-2226.html

If remote logging is enabled on the UniFi controller, syslog messages are sent to a syslog server.  Contained within the syslog messages is the admin password that is used by both the UniFi controller, and all managed Access Points.  This CVE was assigned as there is no utility for sending the admin password hash via syslog messages.   

------
POC:
------
Not Applicable.  

-------------
Solution:
-------------
UniFi Controller - Upgrade to UniFi Controller v3.2.1 or greater

-----------------------------
Disclosure Timeline:
-----------------------------
2014-02-16: Notified Ubiquiti of vulnerabilities in UniFi and mFi products
2014-02-17: Ubiquiti acknowledges and requests details
2014-02-17: Report with POC sent to Ubiquiti
2014-02-19: Asks Ubiquiti to confirm receipt of report
2014-02-19: Ubiquti confirms receipt of report and existence of the vulnerabilities
2014-02-28: CVE-2014-2226 assigned
2014-03-12: Requested status update
2014-03-27: Requested status update
2014-04-07: Requested status update
2014-04-09: Ubiquiti provides timeline for solution
2014-05-30: Requested status update
2014-06-12: Requested status update
2014-06-12: UniFi 3.2.1 is released
2014-06-13: Set public disclosure date of 2014-07-24
2014-07-24: Public disclosure

Comments

Post a Comment

Popular posts from this blog

Exploiting Python Code Injection in Web Applications

-
Image
A web application vulnerable to Python code injection allows you to send Python code though the application to the Python interpreter on the target server. If you can execute python, you can likely call operating system commands. If you can run operating system commands, you can read/write files that you have access to, and potentially even launch a remote interactive shell (e.g., nc, Metasploit, Empire). The thing is, when I needed to exploit this on an external penetration test recently, I had a hard time finding information online about how to move from proof of concept (POC) to useful web application exploitation. Together with my colleague Charlie Worrell ( @decidedlygray ),  we were able to turn the Burp POC (sleep for 20 seconds) into a non interactive shell, which is what this post covers. Python code injection is a subset of server-side code injection, as this vulnerability can occur in many other languages (e.g., Perl and Ruby). In fact, for those of you who are CWE fans
Read more

Exploiting Server Side Request Forgery on a Node/Express Application (hosted on Amazon EC2)

-
Image
I recently came across a Server Side Request Forgery (SSRF) vulnerability within an application that I assessed.  The application was hosted on Amazon EC2 and was using Node.js, Express.js, and as I found out later, Needle.js. Discovery   Manual Discovery In the discovery phase, I noticed a function of the application that was taking a user specified URL and displaying the first paragraph from that URL into the page.  This application allowed a user to share a URL with their friends, and grabbing the first paragraph was a feature that would provide the friends with more context. The thing is, when looking at my Burp history, I could not find the request to the URL that I specified in my logs.  This should raise an eyebrow!   This means that the server is taking the URL I specified, making a request on my behalf, and then returning the result to me. That right there is SSRF .  Then, the only question was: What is the risk? Automated Discovery Since April 2015, if you a
Read more

Pentest Home Lab - 0x3 - Kerberoasting: Creating SPNs so you can roast them

-
Image
TL;DR There are a lot of great blogs out there that show you how to Kerberoast.  In this post, I'm going to walk through the process of setting up your lab so that you can practice this attack.  This involves creating a domain user and then mapping a SPN to that account. After that, I'll walk through using Empire to launch Invoke-Kerberoast, and I'll crack the hashes offline with Hashcat. Pentest Home Lab Recap If you don't already have an Active Directory lab and want to build one so that you can play along, check out my previous posts: Pentest Home Lab - 0x0 - Building A Virtual Corporate Domain   Pentest Home Lab - 0x1 - Building Your AD Lab on AWS Pentest Home Lab - 0x2 - Building Your AD Lab on Premises using Proxmox VE The Attack: Kerberoasting Attack Goals Domain privesc & lateral movement.  If you have domain credentials and access to the domain, this is a relatively easy way to gain additional access within the domain. If all goes well, you
Read more