Hi All,
Today we have discovered a vulnerability which may grant remote users administrative access to Ubiquiti equipment running AirOS v3/4 and AirOS v5 without requiring authentication.
We have quickly fixed this issue and released an updated firmware with this vulnerability patched.
You can find the updated firmware here:
http://ubnt.com/support/downloads
Affected versions:
802.11 Products - AirOS v3.6.1/v4.0 (previous versions not affected)
AirMax Products - AirOS v5.x (all versions)
Updated versions are
v4.0.1 - 802.11 ISP Products
v5.3.5 - AirMax ISP Products
v5.4.5 - AirSync Firmware
We recommend anyone with AirOS devices accessible publicly (via HTTP) to upgrade as soon as possible to prevent this exploit from happening.
If you have any questions or require previous versions of firmware, please email us (support@ubnt.com).
__________________
Matt Hardy
Ubiquiti Networks
Hi guys,
There are two things here:
A vulnerability with the http server, allowing users to bypass authentication and run commands.
A worm that has been taking advantage of #1 to spread itself.
The new firmware will prevent #1, which also prevents #2.
If the worm has already presented itself, it will:
Rename admin.cgi to adm.cgi (you can check with web browser after logging in)
Create startup script in /etc/persistent (you can check by running ls -la /etc/persistent and looking for .Skynet)
We are working on a patch now that will remove the worm, but here's how to do it manually:
SSH into device
cd /etc/persistent
rm rc.poststart
rm -rf .Skynet
cfgmtd -w -p /etc/
reboot
This will not prevent the worm from coming back, you'll need the updated firmware to prevent this.
-Matt
Da altre fonti, da verificare, qualche dettaglio in più sulla vulnerabilità:
Dear customers,
We contact you in order to inform that a very important vulneability has been detected on the Ubiquiti Networks devices
(NanoStation, Loco, Bullet, Nanobridge, Powerbridge, Powerstation, Picostation, etc ...) with the following firmware versions:
802.11 products - AirOS v3.6.1/v4.0 (previous versions are not affected)
AirMax products- AirOS v5.x (all versions)
This vulnerability allows access to the computer without a password and a virus called Skynet can be installed in the Ubiquiti
machine, this virus acts sending messages on the traffic generated through the port: 80 (http://), redirecting traffic to certain websites
and saturating wireless device memory, which causes unexpected reboots.
How is the virus?
The virus is a Linux script that is installed in a hidden directory and after a reboot, begins to act.
How to detect if your computer is infected Ubiquiti?
Try opening the page http://wxyx/admin.cgi (where wxyz is the IP address of Ubiquiti)
If the page does not open, the computer has been infected since the virus renames it adm.cgi
How do if my computer IS NOT INFECTED?
Immediately update their firmware version Ubiquiti equipment, you can download the lastest firmware versions that have eliminated
the vulnerability at the following address:
http://ubnt.com/support/downloads
How to proceed if my computer IS INFECTED?
There are three options:
1) Ubiquiti has pledged to launch within 24 hours, a tool to eliminate the virus in an easy and fast way.
2) Reset the computer to "factory defaults" and then upgrade the firmware version.
3) Remove the script Skynet manually following the instructions detailed below:
Access to the computer via SSH and run the following commands:
rm / etc / persistent / rc.poststart
rm-rf. skynet
save
reboot
After removing the script skynet (virus) using the procedure, proceed to ename the file adm.cgi to the original admin.cgi and upgrade the firmware to the latest available to the team at the following address:
http://ubnt.com/support/downloads
UPDATE
Per chi usa l'SDK ed è pratico, ecco un patch dal sito ufficiale:
http://www.ubnt.com/downloads/XN-fw-int ... -fix.patch
- Codice: Seleziona tutto
Index: packages-other/lighttpd/patches/500-mod-airos.patch
===================================================================
--- packages-other/lighttpd/patches/500-mod-airos.patch (revision 11238)
+++ packages-other/lighttpd/patches/500-mod-airos.patch (working copy)
@@ -1,6 +1,6 @@
--- a/configure.ac
+++ b/configure.ac
-@@ -637,14 +637,15 @@ AC_CONFIG_FILES([Makefile src/Makefile
+@@ -638,14 +638,15 @@ AC_CONFIG_FILES([Makefile src/Makefile
tests/docroot/www/expire/Makefile \
distribute.sh])
AC_OUTPUT
@@ -18,7 +18,7 @@
else
--- a/src/Makefile.am
+++ b/src/Makefile.am
-@@ -303,7 +303,11 @@ proc_open_CPPFLAGS= -DDEBUG_PROC_OPEN
+@@ -304,7 +304,11 @@ proc_open_CPPFLAGS= -DDEBUG_PROC_OPEN
#evalo_SOURCES = buffer.c eval.c
#bench_SOURCES = buffer.c bench.c
#ajp_SOURCES = ajp.c
@@ -32,7 +32,7 @@
+mod_airos_la_LIBADD = $(TDB_LIB) $(common_libadd)
--- /dev/null
+++ b/src/mod_airos.c
-@@ -0,0 +1,1006 @@
+@@ -0,0 +1,1031 @@
+#include <ctype.h>
+#include <stdlib.h>
+#include <stdio.h>
@@ -572,6 +572,28 @@
+}
+
+static int
++phy_is_in_list(const physical* uri, const array* list) {
++ size_t k, ct_len;
++ data_string* ds;
++ size_t uri_len = uri->path->used - 1;
++
++ for (k = 0; k < list->used; k++) {
++ ds = (data_string *)list->data[k];
++ ct_len = ds->value->used - 1;
++
++ if (ct_len < 1) continue;
++ if (ct_len > uri_len) continue;
++
++ if (strncasecmp(uri->path->ptr + uri_len - ct_len,
++ ds->value->ptr, ct_len) == 0) {
++ return 1;
++ }
++ }
++
++ return 0;
++}
++
++static int
+is_ajax_request(const request* req) {
+ data_string* header;
+ if (req == NULL)
@@ -946,8 +968,10 @@
+ data_string* ds;
+ session_t* session = NULL;
+ int is_uri_cachable = 0;
++ int is_phy_allowed = 0;
+
-+ is_uri_cachable = uri_is_in_list(&con->uri, p->conf.cachable);
++ is_uri_cachable = phy_is_in_list(&con->physical, p->conf.cachable);
++ is_phy_allowed = phy_is_in_list(&con->physical, p->conf.allowed);
+
+ if (is_uri_cachable) {
+ time_t expires = srv->cur_ts + DEFAULT_CACHE_AGE;
@@ -981,7 +1005,8 @@
+ }
+
+ /* check session authorization */
-+ if (session_is_authenticated(session) && !session_is_authorized(session, srv, con)) {
++ if ((!is_phy_allowed && (!session_is_authenticated(session) || !session_is_authorized(session, srv, con)))
++ || (session_is_authenticated(session) && !session_is_authorized(session, srv, con))) {
+ free(session);
+ session = NULL;
+ con->http_status = 403;
Link forum ufficiale
Lo staff.
ps: grazie all'utente brasile80 per la segnalazione
.gif ")")
