unifi'd ownage
TRANSCRIPT
UNIFI’d own age
Centralised and Automated network management, lol
Where What Who
BSidesAU Unified Ownage Tim Noise
tIM NOISE
• twitter/dnoiz1 • github/dnoiz1 • mIRC/dnz • streetz/notorious D N Z • [email protected]
Future cyborg and self contained darknet
UBiquiti Networksa network vendor that isn't Cisco or Juniper
• Make wireless backhaul devices • Make enterprise networking devices • Added more products in SOHO/enterprise range • Decided all these devices could be managed from
a web interface, called Unifi (now with cloud!) • Publicly listed on NASDAQ • Public bug bounty on hacker1
UNIFI MarketingIt just sounds so easy to be a network administrator!
• “The Global Leader in Managed WiFi Systems” • “Millions of shipments per year” • Powered by MongoDB (webscale) • Written in Java (cross platform) • Distro packages / repos for *nix • Easy to use web interface • Wifi heat maps / network maps etc • Fancier throughput graphs not RRDtool • Optional “CloudKey” device. • Troy Hunt’s Jetski has fast wifi
BUG Bounty23 bugs = Zero Dollars^WDays
• Between jobs • Bug bounty looked appealing • Submitted lots of bugs in Unifi / U-AP • No response from Ubiquiti • Found more bugs, didn't bother submitting • Got a job and forgot about it for 12 months • All bugs closed as `informative` 12 months later • Poor Vendor response - make it a talk
UNIFI actualSecurity nightmare
• Basically a shiny Command and Control • Written in Java, nested dependencies • Java runs as root • MongoDB runs as root • Self Signed Certificates • Cloud Connected (optional but wtf) • Centralised/reused device login (in mongo) • Passwordless MongoDB • Implements AES-CBC on top of HTTP ? • ….And more
Test EnvironmentEmulating what we would expect to see in the wild
• Controller running on Ubuntu VM • Controller installed from official repo • Originally version 3, now version 5 • Started with 1x UAP-AC-PRO • Added 1x Unifi Switch 24 POE • Added some NanoBeam ACs (AirOS, not unifi)
UNIFI AdoptionJoining Mirai^WUnifi platform
• LED is white when not configured • LLDP, CDP, Ubiquiti (UDP 10001) for discovery • Attempt to Adopt (provision) a device from www • Controller SSHs into device • Configures SSH password, inform URL, SSIDs etc • Device periodically informs
controller of its status, throughput, connected clients, client roaming etc
• LED becomes blue
Finding The ControllerWhich panel is helm control?
• Almost exclusively on VLAN 1 • TCP: 8080, 8443 Management www • TCP: 6789 (throughput metrics), 8880
(guest portal) • UDP: 10001, 3478 (STUN) • HTTP Server header: Apache-Coyote/1.1 • Certificate: s:/C=US/ST=CA/L=San Jose/
O=ubnt.com/OU=UniFi/CN=UniFi • Older versions contain files in webroot eg:
hotspot.jsp, /upnp/ and more
CAPTURING InFORMSgrabbing the messages off the wire
• Basic MITM techniques • ARP spoofing (dsniff, ettercap, etc) • Promiscuous mode on VM physical interfaces • DNS Poisoning (when DNS is configured in Unifi) • Messages are over HTTP on port 8080 • tcpdump / wireshark or simpleHTTPserver
DECOMPILING unifiThe source will tell you the secrets
• Extract the JAR • can use JAD for older
versions (class version < 50) • JD-GUI for newer versions • Read and follow the mess
that is produced • In this case InformServlet.java
We’re looking at the /inform
route
DECODING MESSAGESMagic? not really.
• Decodable 40 byte Header • Compressed (snappy) and
Encrypted (AES) Body • AES Key per device in mongo • Legacy Plain Text Inform
now disabled • Encoded JSON -> Mongo • 40 Bytes header, data next
VERSION UPGRADESLazy packaging is lazy
• Leaves redundant fields in
Mongo (ie plain text PSKs/
password)
• World readable configuration files
leftover (more plaintext stuff • Basically doesn't clean up
GUEST ACCESS POINTSRun it on the management controller, what could go wrong?
• Built in Hotspot / guest portal access • Vouchers, Payments (Stripe, Paypal, etc) • Facebook / Google+ • Restricts configured subnets • Same host/application as management
platform • The same database contains datasets
for device management and guest data
TAKE AWAYKeeping your fingers greasy
• Hardware is solid (not much investigation) • OpenWRT build targets as alternative fw
• Find the controllers, find the devices • Attempt to bust crypto • Physical access is a winner • SSJI = game over
• Use reverse proxy for Guest Access, Inform and Management • Endure the pain to segment the network
tIM NOISE
• twitter/dnoiz1 • github/dnoiz1 • mIRC/dnz • streetz/notorious D N Z • [email protected]
Future cyborg and self contained darknet