what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Ubiquiti Networks EP-R6 / ER-X / ER-X-SFP Cross Site Scripting

Ubiquiti Networks EP-R6 / ER-X / ER-X-SFP Cross Site Scripting
Posted Jul 25, 2017
Authored by Rene Freingruber, T. Weber | Site sec-consult.com

Ubiquiti Networks EP-R6, ER-X, and ER-X-SFP with firmware version 1.9.1 suffer from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | ee8734a3380cb25e9501ce4ed4a9ee0bd8e9edf795998ee4d8a0ad875a88622b

Ubiquiti Networks EP-R6 / ER-X / ER-X-SFP Cross Site Scripting

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20170724-0 >
=======================================================================
title: Cross-Site Scripting (XSS)
product: Ubiquiti Networks EP-R6, ER-X, ER-X-SFP
vulnerable version: Firmware v1.9.1
fixed version: Firmware v1.9.1.1
CVE number:
impact: Medium
homepage: https://www.ubnt.com
found: 2017-04-04
by: R. Freingruber, T. Weber (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets."

Source: http://ir.ubnt.com/


Business recommendation:
------------------------
SEC Consult recommends not to use this device in production until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
-----------------------------------
1) Reflected Cross Site Scripting (XSS) in Internet Explorer
This vulnerability can be exploited by deactivating or bypassing the
integrated XSS-filter of the Internet Explorer.

A reflected cross site scripting vulnerability was identified because of an
initialization error in "<IP>/files/index/". An attacker can exploit this
vulnerability by tricking a victim to visit a malicious website. The attacker
is able to hijack the session of the attacked user. If the user is currently
not logged in, the injected JavaScript code can start a bruteforce attack
(for example, with the default credentials ubnt:ubnt). After a session has
been established, the code has full control over the system via the CLI feature
which is basically a shell wrapper. By abusing this vulnerability an attacker
can open ports on the router or start a reverse shell.

Proof of concept:
-----------------
1) Reflected Cross Site Scripting (XSS) in Internet Explorer
The following URL can be used as PoC:

https://192.168.1.1/files/index/0/aaa<svg><script>alert(1)<br>

The characters "=" and "/" are not allowed in this injection.
This restriction can be bypassed in Internet Explorer via the use
of a SVG and BR tag.
Since "/" is not allowed the <script> tag can't be closed and therefore
browsers will not execute the supplied code. Moreover, event handlers
(e.g. <svg onload=alert(1)>) can't be used because of the "=" restriction.
However, Internet Explorer can be tricked to parse the script via the use of
the SVG and BR tags.
It can be assumed that similar tricks exit for other browsers.


Vulnerable / tested versions:
-----------------------------
EdgeRouter X SFP - Firmware v1.9.1


Vendor contact timeline:
------------------------
2017-04-04: Contacting vendor through HackerOne. Vendor sets status to
"Triaged".
2017-04-24: Asking for a update.
2017-04-25: Vendor responds that the fix is available in firmware
v1.9.1.1.
2017-05-05: Found the update on the website of the vendor. It was
available since 2017-04-28.
2017-05-15: Contacted vendor via e-mail and set the publication date
to 2017-07-24.
2017-07-24: Public release of security advisory

Solution:
---------
Upgrade to firmware v1.9.1.1 or later.


Workaround:
-----------
None.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF R. Freingruber, T. Weber / @2017

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close