On March 31st, 2016, I found and reported a remote code execution in Ubiquiti networks Aircontroller version 1.4.2 which was downloadable from http://community.ubnt.com/. The AirController version was pretty old, so there wasn't any significant risk as users were already using updated version.
After I configured AirController 1.4.2 on my Ubuntu machine, I started playing around with the web app. The UI was very old and unimpressive. I thought of running nmap service banner grabbing on target where AirController is installed, and found JBoss Seam running on port 9080, I Googled immediately for existing exploits in JBoss Seam.
JBoss Seam was vulnerable to RCE and CVE-2010-1871 was assigned to it. I landed up on this blog which had clear instructions of which function was vulnerable and how to exploit the vulnerability. To execute the OS commands one has to find indexes for java.lang.Process and public static java.lang.Runtime java.lang.Runtime.getRuntime() methods. I had no idea where to start with finding an index, I tried finding if there is a metasploit module to do so and yet again metasploit came to rescue.
I ran metasploit on target, found indexes and then I could exploit the vulnerability successfully after sending the below crafted request to server;
/seam-booking/home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[19].invoke(expressions.getClass().forName('java.lang.R
untime').getDeclaredMethods()[7].invoke(null), 'mkdir /tmp/PWNED')}
I made a POC video of the attack.
Timeline:
March 31st, 2016 - Report Sent
March 31st, 2016 - Bug triaged
April 1st, 2016 - Resolved and Bounty Rewarded
Bounty was fairly low as the bug was in old version. Thanks for reading! Comments and suggestions are welcome.
No comments:
Post a Comment