[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Critical Vulnerability in Ubiquiti UniFi
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: Re: [FD] Critical Vulnerability in Ubiquiti UniFi
- From: Gregory Sloop <gregs@xxxxxxxxx>
- Date: Mon, 3 Oct 2016 09:03:16 -0700
So, while I've not attempted to reproduce the "exploit"* POC below, I have some
observations/questions.
The exploit, if I'm reading things correctly depends on MongoDB being
configured to accept remote database connections. Yet, at least on Ubuntu [the
vendor recommended Linux distro], it's only configured to accept connections
from 127.0.0.1. [bind_ip = 127.0.0.1]
So, it's not a remote exploit - in at least this case. [I suspect that's the
usual config elsewhere too, so I suspect it's fair to say, it's not remote in
virtually all cases.]
I suppose it means that if you have a valid account on the same box as
Unifi+MongoDB is installed on, you could get admin in Unifi. [Which admittedly
sucks.]
But given the fairly limited nature of the "bug"* a CVSS score of 8.8 seems
excessive.
[*I think allowing remote DB access would break the security model the app is
designed to run in, and so the results when you allow remote DB access are
going to be ugly - that seems a given, and which might also explain Ubiquiti's
response.]
But perhaps I misunderstand something/everything. If so, I'm glad to hear the
explanation.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/