Note: if images or formatting is broken, blame Blogger. 

 (from discord)

What's going on?

Last week when I was on break doing training, I saw a reddit post regarding someones Unifi having an account added. Someone got admin user "John Sim" added & removed to/from their device.

In the replies, there were other people saying that this happened to them as well. I was going to look into this and maybe even set up a honeypot but I didn't have time.

Post: https://www.reddit.com/r/Ubiquiti/comments/1tnygst/super_admin_added_whilst_on_holiday/

Today I saw another post regarding this activity (post is like a week old but i saw it today)

This new post had URI info for the attack. I'm not sure if it's all the URLs in their logs though. 

Post: https://www.reddit.com/r/Ubiquiti/comments/1tp9san/aidriven_campaign_appears_to_be_targeting/

Unifi Post about multiple vulnerabilities: https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b

For affected products, it says: UniFi OS Server (Version 5.0.6 and earlier)

The setup

I actually didn't find 5.0.6 version for UDR7 and I didn't want to go lower. I just had reset and rebuilt my whole network.

I found Unifi OS for Windows with version 5.0.6 and installation was easy so I went with that.

Download page: https://ui.com/download/software/unifi-os-server

This is what I installed: UniFi OS Server 5.0.6 for Windows (x64)

So I have Unifi OS 5.0.6 running for testing and I have my UDR7 with latest updates and SSH access (this comes in handy later).

Research 

skip to exploitation section at the bottom if you don't care about my methodology & extra commentary 

I started by going to /proxy/users/public/avatar/x?filename=../../../../data/unifi-core/config/jwt.yaml

This gets me the JWT secret.  

 Next I logged into Unifi OS to see what the auth activity looks like and there is JWT token!

 JWT.io was used for decoding. Decoded data looks like this:

The next URI in reddit post is /api/auth/validate-sso/../../../proxy/users/api/v2/identity/user/owner/credential where the attacker gets 200 response. 

I visited the URL and did not get 200. 

At this point, I started modifying the JWT token. 

I noticed that jti and csrfToken fields didn't matter. exp field can be anything in the future. it's epoch timestamp. userId needed to be correct and same with passwordRevision. 

I crafted a new JWT token and tried it against validate-sso URI and it worked! 

Now I'm wondering how did the threat actor get legitimate userId and passwordRevision data?

The reddit post didn't mention anything else.

I ssh'ed into my UDR7 and went to the directory where the jwt.yaml file came from and started looking for passwordRevision and userid.

I found out that there is a json file that contains passwordRevision. unique_id that you see is the userId. 

I sent a request to /proxy/users/public/avatar/x?filename=../../../../data/unifi-core/config/cache/users.json. This is the second use of that traversal vuln, without auth token. 

This gets us everything we need. With jwt secret and this data, we can craft the correct token.  

What about adding users?

This is what legitimate user addition request looks like:

Can we add users with JWT token we crafted?

 Yes! Just make sure that the CSRF token in your request matches the token in your JWT token.

 Exploitation

 Here's what the process looks like from the testing I've done.

1. Request jwt.yaml

extract secret 

2. Request users.json

extract unique_id and password_revision for admin

3. Create valid JWT token

4. Use token and send request to validate-sso/credential URI and check for 200!

End

I'm not exactly sure if this is the exact method the threat actor was using. I don't have a honeypot. I don't have logs/forensic data either. I don't know of anyone that can go replicate this for me either. 

The Ubiquiti Security Advisory shows multiple vulns so there might be more things going on. 

I'm not sure about how many people have vuln Unifi OS and have it exposed to the internet. Obviously, people on reddit who got compromised did but I feel like there shouldn't be too many vulnerable setups out there but who knows. 

Someone (not me) should probably make a nuclei template for this.

Thanks to https://github.com/InfosecExtra for bouncing around ideas.