SEC Consult Vulnerability Lab Security Advisory < 20170724-0 >
=======================================================================
              title: Cross-Site Scripting (XSS)
            product: Ubiquiti Networks EP-R6, ER-X, ER-X-SFP
 vulnerable version: Firmware v1.9.1
      fixed version: Firmware v1.9.1.1
         CVE number:
             impact: Medium
           homepage: https://www.ubnt.com
              found: 2017-04-04
                 by: R. Freingruber, T. Weber (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Montreal - Moscow
                     Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets."

Source: http://ir.ubnt.com/


Business recommendation:
------------------------
SEC Consult recommends not to use this device in production until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
-----------------------------------
1) Reflected Cross Site Scripting (XSS) in Internet Explorer
This vulnerability can be exploited by deactivating or bypassing the
integrated XSS-filter of the Internet Explorer.

A reflected cross site scripting vulnerability was identified because of an
initialization error in "<IP>/files/index/". An attacker can exploit this
vulnerability by tricking a victim to visit a malicious website. The attacker
is able to hijack the session of the attacked user. If the user is currently
not logged in, the injected JavaScript code can start a bruteforce attack
(for example, with the default credentials ubnt:ubnt). After a session has
been established, the code has full control over the system via the CLI feature
which is basically a shell wrapper. By abusing this vulnerability an attacker
can open ports on the router or start a reverse shell.

Proof of concept:
-----------------
1) Reflected Cross Site Scripting (XSS) in Internet Explorer
The following URL can be used as PoC:

https://192.168.1.1/files/index/0/aaa<svg><script>alert(1)<br>

The characters "=" and "/" are not allowed in this injection.
This restriction can be bypassed in Internet Explorer via the use
of a SVG and BR tag.
Since "/" is not allowed the <script> tag can't be closed and therefore
browsers will not execute the supplied code. Moreover, event handlers
(e.g. <svg onload=alert(1)>) can't be used because of the "=" restriction.
However, Internet Explorer can be tricked to parse the script via the use of
the SVG and BR tags.
It can be assumed that similar tricks exit for other browsers.


Vulnerable / tested versions:
-----------------------------
EdgeRouter X SFP - Firmware v1.9.1


Vendor contact timeline:
------------------------
2017-04-04: Contacting vendor through HackerOne. Vendor sets status to
            "Triaged".
2017-04-24: Asking for a update.
2017-04-25: Vendor responds that the fix is available in firmware
            v1.9.1.1.
2017-05-05: Found the update on the website of the vendor. It was
            available since 2017-04-28.
2017-05-15: Contacted vendor via e-mail and set the publication date
            to 2017-07-24.
2017-07-24: Public release of security advisory

Solution:
---------
Upgrade to firmware v1.9.1.1 or later.


Workaround:
-----------
None.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF R. Freingruber, T. Weber / @2017