UNIFI’d own age

Centralised and Automated network management, lol

Where What Who

BSidesAU Unified Ownage Tim Noise

tIM NOISE

• twitter/dnoiz1 • github/dnoiz1 • mIRC/dnz • streetz/notorious D N Z • tim@drkns.net

Future cyborg and self contained darknet

UBiquiti Networksa network vendor that isn't Cisco or Juniper

• Make wireless backhaul devices • Make enterprise networking devices • Added more products in SOHO/enterprise range • Decided all these devices could be managed from

a web interface, called Unifi (now with cloud!) • Publicly listed on NASDAQ • Public bug bounty on hacker1

UNIFI MarketingIt just sounds so easy to be a network administrator!

• “The Global Leader in Managed WiFi Systems” • “Millions of shipments per year” • Powered by MongoDB (webscale) • Written in Java (cross platform) • Distro packages / repos for *nix • Easy to use web interface • Wifi heat maps / network maps etc • Fancier throughput graphs not RRDtool • Optional “CloudKey” device. • Troy Hunt’s Jetski has fast wifi

BUG Bounty23 bugs = Zero Dollars^WDays

• Between jobs • Bug bounty looked appealing • Submitted lots of bugs in Unifi / U-AP • No response from Ubiquiti • Found more bugs, didn't bother submitting • Got a job and forgot about it for 12 months • All bugs closed as `informative` 12 months later • Poor Vendor response - make it a talk

UNIFI actualSecurity nightmare

• Basically a shiny Command and Control • Written in Java, nested dependencies • Java runs as root • MongoDB runs as root • Self Signed Certificates • Cloud Connected (optional but wtf) • Centralised/reused device login (in mongo) • Passwordless MongoDB • Implements AES-CBC on top of HTTP ? • ….And more

UNIFI actualSecurity nightmare

Test EnvironmentEmulating what we would expect to see in the wild

• Controller running on Ubuntu VM • Controller installed from official repo • Originally version 3, now version 5 • Started with 1x UAP-AC-PRO • Added 1x Unifi Switch 24 POE • Added some NanoBeam ACs (AirOS, not unifi)

UNIFI AdoptionJoining Mirai^WUnifi platform

• LED is white when not configured • LLDP, CDP, Ubiquiti (UDP 10001) for discovery • Attempt to Adopt (provision) a device from www • Controller SSHs into device • Configures SSH password, inform URL, SSIDs etc • Device periodically informs

controller of its status, throughput, connected clients, client roaming etc

• LED becomes blue

Finding The ControllerWhich panel is helm control?

• Almost exclusively on VLAN 1 • TCP: 8080, 8443 Management www • TCP: 6789 (throughput metrics), 8880

(guest portal) • UDP: 10001, 3478 (STUN) • HTTP Server header: Apache-Coyote/1.1 • Certificate: s:/C=US/ST=CA/L=San Jose/

O=ubnt.com/OU=UniFi/CN=UniFi • Older versions contain files in webroot eg:

hotspot.jsp, /upnp/ and more

CAPTURING InFORMSgrabbing the messages off the wire

• Basic MITM techniques • ARP spoofing (dsniff, ettercap, etc) • Promiscuous mode on VM physical interfaces • DNS Poisoning (when DNS is configured in Unifi) • Messages are over HTTP on port 8080 • tcpdump / wireshark or simpleHTTPserver

DECOMPILING unifiThe source will tell you the secrets

• Extract the JAR • can use JAD for older

versions (class version < 50) • JD-GUI for newer versions • Read and follow the mess

that is produced • In this case InformServlet.java

We’re looking at the /inform

route

DECODING MESSAGESMagic? not really.

• Decodable 40 byte Header • Compressed (snappy) and

Encrypted (AES) Body • AES Key per device in mongo • Legacy Plain Text Inform

now disabled • Encoded JSON -> Mongo • 40 Bytes header, data next

DECODING MESSAGESMagic? not really.

Spoofing InformsYo, its me, your boy

PlainText PasswordsHow else do you store them?

VERSION UPGRADESLazy packaging is lazy

• Leaves redundant fields in

Mongo (ie plain text PSKs/

password)

• World readable configuration files

leftover (more plaintext stuff • Basically doesn't clean up

GUEST ACCESS POINTSRun it on the management controller, what could go wrong?

• Built in Hotspot / guest portal access • Vouchers, Payments (Stripe, Paypal, etc) • Facebook / Google+ • Restricts configured subnets • Same host/application as management

platform • The same database contains datasets

for device management and guest data

TAKE AWAYKeeping your fingers greasy

• Hardware is solid (not much investigation) • OpenWRT build targets as alternative fw

• Find the controllers, find the devices • Attempt to bust crypto • Physical access is a winner • SSJI = game over

• Use reverse proxy for Guest Access, Inform and Management • Endure the pain to segment the network

QUESTIONS?

tIM NOISE

• twitter/dnoiz1 • github/dnoiz1 • mIRC/dnz • streetz/notorious D N Z • tim@drkns.net

Future cyborg and self contained darknet

UNIFI’d own age

Centralised and Automated network management, lol

Where What Who

BSidesAU Unified Ownage Tim Noise