Author

Tim Weber

Risk

[

Security Risk Medium

]

0day-ID

0day-ID-28188

Category

web applications

Date add

25-07-2017

Platform

hardware

=======================================================================
              title: Cross-Site Scripting (XSS)
            product: Ubiquiti Networks EP-R6, ER-X, ER-X-SFP
 vulnerable version: Firmware v1.9.1
      fixed version: Firmware v1.9.1.1
         CVE number:
             impact: Medium
           homepage: https://www.ubnt.com
              found: 2017-04-04
                 by: R. Freingruber, T. Weber (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Montreal - Moscow
                     Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets."

Source: http://ir.ubnt.com/


Business recommendation:
------------------------
SEC Consult recommends not to use this device in production until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
-----------------------------------
1) Reflected Cross Site Scripting (XSS) in Internet Explorer
This vulnerability can be exploited by deactivating or bypassing the
integrated XSS-filter of the Internet Explorer.

A reflected cross site scripting vulnerability was identified because of an
initialization error in "<IP>/files/index/". An attacker can exploit this
vulnerability by tricking a victim to visit a malicious website. The attacker
is able to hijack the session of the attacked user. If the user is currently
not logged in, the injected JavaScript code can start a bruteforce attack
(for example, with the default credentials ubnt:ubnt). After a session has
been established, the code has full control over the system via the CLI feature
which is basically a shell wrapper. By abusing this vulnerability an attacker
can open ports on the router or start a reverse shell.

Proof of concept:
-----------------
1) Reflected Cross Site Scripting (XSS) in Internet Explorer
The following URL can be used as PoC:

https://192.168.1.1/files/index/0/aaa<svg><script>alert(1)<br>

The characters "=" and "/" are not allowed in this injection.
This restriction can be bypassed in Internet Explorer via the use
of a SVG and BR tag.
Since "/" is not allowed the <script> tag can't be closed and therefore
browsers will not execute the supplied code. Moreover, event handlers
(e.g. <svg onload=alert(1)>) can't be used because of the "=" restriction.
However, Internet Explorer can be tricked to parse the script via the use of
the SVG and BR tags.
It can be assumed that similar tricks exit for other browsers.


Vulnerable / tested versions:
-----------------------------
EdgeRouter X SFP - Firmware v1.9.1


Vendor contact timeline:
------------------------
2017-04-04: Contacting vendor through HackerOne. Vendor sets status to
            "Triaged".
2017-04-24: Asking for a update.
2017-04-25: Vendor responds that the fix is available in firmware
            v1.9.1.1.
2017-05-05: Found the update on the website of the vendor. It was
            available since 2017-04-28.
2017-05-15: Contacted vendor via e-mail and set the publication date
            to 2017-07-24.
2017-07-24: Public release of security advisory

Solution:
---------
Upgrade to firmware v1.9.1.1 or later.

#  0day.today [2024-09-29]  #