[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Critical Vulnerability in Ubiquiti UniFi

To: Greg Sloop <gregs@xxxxxxxxx>, Tim Schughart <t.schughart@xxxxxxxxxxxxxxxxxxx>, "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>, "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>, "webappsec@xxxxxxxxxxxxxxxxx" <webappsec@xxxxxxxxxxxxxxxxx>
Subject: Re: [FD] Critical Vulnerability in Ubiquiti UniFi
From: Rob Thomas <rthomas@xxxxxxxxxxx>
Date: Tue, 4 Oct 2016 22:10:02 +0000

The impression I get from Tim Pham's emails is that the 'Unify Manager' is 
doing some behind-the-scenes tunnelling, and bringing the Mongo interface from 
the server to the client (Eg, Mac or Windows device) and you are then able to 
connect to localhost (on the client) which tunnels through to the server.

However, after much searching, I am unable to locate this application. Googling 
insinuates that it is this (unreleased) software - 
https://www.ubnt.com/enterprise/software/

--Rob Thomas
Information Security, Sangoma Corporation


-----Original Message-----
From: Fulldisclosure [mailto:fulldisclosure-bounces@xxxxxxxxxxxx] On Behalf Of 
Gregory Sloop
Sent: Wednesday, 5 October 2016 1:54 AM
To: Tim Schughart <t.schughart@xxxxxxxxxxxxxxxxxxx>; 
fulldisclosure@xxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx; 
webappsec@xxxxxxxxxxxxxxxxx
Cc: Khanh Quoc. Pham <k.pham@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [FD] Critical Vulnerability in Ubiquiti UniFi

I attempted private contact with Tim Pham and via email 12+ hours ago, but 
received no response since then.

I've spent some time trying to reproduce the reported vulnerability and have 
had no success. It certainly doesn't help that the steps to reproduce it are so 
poorly described or documented.
Without better documentation of the exploit, it seems impossible to determine 
if the report is just mis-informed, blatantly false, or if perhaps there's some 
step/process I don't understand or am missing.

In every attempt I've made the binding of MongoBD to 127.0.0.1 is effective and 
non-local connection attempts are refused, as one would expect.
A swift response from Prosec Networks [prosec-networks.com] would be most 
helpful.

_______________________________________________
Sent through the Full Disclosure mailing list 
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Follow-Ups:
- Re: [FD] Critical Vulnerability in Ubiquiti UniFi
  - From: Carlos Silva
- Re: [FD] Critical Vulnerability in Ubiquiti UniFi
  - From: kvnjs

References:
- [FD] Critical Vulnerability in Ubiquiti UniFi
  - From: Tim Schughart
- Re: [FD] Critical Vulnerability in Ubiquiti UniFi
  - From: Carlos Silva
- Re: [FD] Critical Vulnerability in Ubiquiti UniFi
  - From: Tim Schughart
- Re: [FD] Critical Vulnerability in Ubiquiti UniFi
  - From: Gregory Sloop

Prev by Date: [FD] Billion Router 7700NR4 Remote Root Command Execution
Next by Date: [FD] Onapsis Security Advisory ONAPSIS-2016-002: SAP UCON Security Protection bypass
Previous by thread: Re: [FD] Critical Vulnerability in Ubiquiti UniFi
Next by thread: Re: [FD] Critical Vulnerability in Ubiquiti UniFi
Index(es):
- Date
- Thread