Exploit the possiblities

Ubiquiti Networks EP-R6 / ER-X / ER-X-SFP Cross Site Scripting

Ubiquiti Networks EP-R6 / ER-X / ER-X-SFP Cross Site Scripting
Posted Jul 25, 2017
Authored by Rene Freingruber, T. Weber | Site sec-consult.com

Ubiquiti Networks EP-R6, ER-X, and ER-X-SFP with firmware version 1.9.1 suffer from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | 9ea2bb02f107be6df0906b4c0a16edf9

Ubiquiti Networks EP-R6 / ER-X / ER-X-SFP Cross Site Scripting

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20170724-0 >
title: Cross-Site Scripting (XSS)
product: Ubiquiti Networks EP-R6, ER-X, ER-X-SFP
vulnerable version: Firmware v1.9.1
fixed version: Firmware v1.9.1.1
CVE number:
impact: Medium
homepage: https://www.ubnt.com
found: 2017-04-04
by: R. Freingruber, T. Weber (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich



Vendor description:
"Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets."

Source: http://ir.ubnt.com/

Business recommendation:
SEC Consult recommends not to use this device in production until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.

Vulnerability overview/description:
1) Reflected Cross Site Scripting (XSS) in Internet Explorer
This vulnerability can be exploited by deactivating or bypassing the
integrated XSS-filter of the Internet Explorer.

A reflected cross site scripting vulnerability was identified because of an
initialization error in "<IP>/files/index/". An attacker can exploit this
vulnerability by tricking a victim to visit a malicious website. The attacker
is able to hijack the session of the attacked user. If the user is currently
not logged in, the injected JavaScript code can start a bruteforce attack
(for example, with the default credentials ubnt:ubnt). After a session has
been established, the code has full control over the system via the CLI feature
which is basically a shell wrapper. By abusing this vulnerability an attacker
can open ports on the router or start a reverse shell.

Proof of concept:
1) Reflected Cross Site Scripting (XSS) in Internet Explorer
The following URL can be used as PoC:<svg><script>alert(1)<br>

The characters "=" and "/" are not allowed in this injection.
This restriction can be bypassed in Internet Explorer via the use
of a SVG and BR tag.
Since "/" is not allowed the <script> tag can't be closed and therefore
browsers will not execute the supplied code. Moreover, event handlers
(e.g. <svg onload=alert(1)>) can't be used because of the "=" restriction.
However, Internet Explorer can be tricked to parse the script via the use of
the SVG and BR tags.
It can be assumed that similar tricks exit for other browsers.

Vulnerable / tested versions:
EdgeRouter X SFP - Firmware v1.9.1

Vendor contact timeline:
2017-04-04: Contacting vendor through HackerOne. Vendor sets status to
2017-04-24: Asking for a update.
2017-04-25: Vendor responds that the fix is available in firmware
2017-05-05: Found the update on the website of the vendor. It was
available since 2017-04-28.
2017-05-15: Contacted vendor via e-mail and set the publication date
to 2017-07-24.
2017-07-24: Public release of security advisory

Upgrade to firmware v1.9.1.1 or later.


Advisory URL:


SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF R. Freingruber, T. Weber / @2017


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?

Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

February 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    15 Files
  • 2
    Feb 2nd
    15 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    13 Files
  • 5
    Feb 5th
    16 Files
  • 6
    Feb 6th
    15 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    15 Files
  • 9
    Feb 9th
    18 Files
  • 10
    Feb 10th
    8 Files
  • 11
    Feb 11th
    8 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    15 Files
  • 14
    Feb 14th
    15 Files
  • 15
    Feb 15th
    17 Files
  • 16
    Feb 16th
    18 Files
  • 17
    Feb 17th
    37 Files
  • 18
    Feb 18th
    2 Files
  • 19
    Feb 19th
    16 Files
  • 20
    Feb 20th
    6 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By