SEC Consult Vulnerability Lab Security Advisory < 20170724-0 > ======================================================================= title: Cross-Site Scripting (XSS) product: Ubiquiti Networks EP-R6, ER-X, ER-X-SFP vulnerable version: Firmware v1.9.1 fixed version: Firmware v1.9.1.1 CVE number: impact: Medium homepage: https://www.ubnt.com found: 2017-04-04 by: R. Freingruber, T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets." Source: http://ir.ubnt.com/ Business recommendation: ------------------------ SEC Consult recommends not to use this device in production until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: ----------------------------------- 1) Reflected Cross Site Scripting (XSS) in Internet Explorer This vulnerability can be exploited by deactivating or bypassing the integrated XSS-filter of the Internet Explorer. A reflected cross site scripting vulnerability was identified because of an initialization error in "/files/index/". An attacker can exploit this vulnerability by tricking a victim to visit a malicious website. The attacker is able to hijack the session of the attacked user. If the user is currently not logged in, the injected JavaScript code can start a bruteforce attack (for example, with the default credentials ubnt:ubnt). After a session has been established, the code has full control over the system via the CLI feature which is basically a shell wrapper. By abusing this vulnerability an attacker can open ports on the router or start a reverse shell. Proof of concept: ----------------- 1) Reflected Cross Site Scripting (XSS) in Internet Explorer The following URL can be used as PoC: https://192.168.1.1/files/index/0/aaa
The characters "=" and "/" are not allowed in this injection. This restriction can be bypassed in Internet Explorer via the use of a SVG and BR tag. Since "/" is not allowed the