Reply
New Member
Posts: 11
Registered: ‎05-14-2016

Re: Virus attack - URGENT @UBNT

harmful code is contained in the CGI index, reset, login - which allows you to upload a virus - blame the staff UBTN

Regular Member
Posts: 367
Registered: ‎03-12-2009
Kudos: 136
Solutions: 11

Re: Virus attack - URGENT @UBNT

I believe this exploit is not leveraging brute forced ssh, but a combination of these two vulnerabilities:


A certificate including its private key is embedded in the firmware of several Ubiquiti Networks products. The certificate is used for HTTPS
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20151105-0_Ubiquiti_Networks_...


It's possible to overwrite any file on AirMax systems, because the "php2" doesn't verify the "filename" value of a POST request. It's possible to a unauthenticated user to exploit this vulnerability.
https://hackerone.com/reports/73480


Since all the exploitable devices have the same ssl certificate, The work flow probably goes something like this;


1) Scan for devices listening on 443
2) Test for ubnt's reused ssl certificate
3) Change the credentials with something like this curl -F "file=@./passwd;filename=../../etc/passwd" -H "Expect:" 'https://192.168.1.20/login.cgi' -k
4) ssh the device with the newly installed credentials
5) Do whatever


If the lighttpd in AirOS logged anything we might have more insight....


So people please, UPDATE THE FIRMWARE!

New Member
Posts: 3
Registered: ‎05-14-2016
Kudos: 3

Re: Virus attack - URGENT @UBNT

#!/bin/bash
#

iptables -F
iptables -A INPUT -s you ip -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP 2>/dev/null
iptables -A INPUT -p tcp -i lo --dport 443 -j DROP 2>/dev/null

for i in $(ps | grep /etc/persistent/.mf | grep -v grep | awk '{print $1}'); do kill -9 $i; done
for i in $(ps | grep sleep | grep -v grep | awk '{print $1}'); do kill -9 $i; done
for i in $(ps | grep reboot | grep -v grep | awk '{print $1}'); do kill -9 $i; done
for i in $(ps | grep curl | grep -v grep | awk '{print $1}'); do kill -9 $i; done

PDIR=/etc/persistent

rm -f $PDIR/mf.tar
rm -rf $PDIR/.mf

cat $PDIR/rc.poststart | grep -v /etc/persistent/.mf > $PDIR/rc.poststart.new
mv -f $PDIR/rc.poststart.new $PDIR/rc.poststart

cat /etc/passwd | grep -v mother > /etc/passwd.new
mv -f /etc/passwd.new /etc/passwd

cfgmtd -w -p /etc/

Repair

New Member
Posts: 11
Registered: ‎05-14-2016

Re: Virus attack - URGENT @UBNT

[ Edited ]

a wise decision to create a file /etc/persistent/rc.poststart rights -rw-r - r--
Man Happy
I think it's not for long.
Thanks for the script.

we decided to turn off the lighttpd and make other system administration.

UBNT has an analogue winbox tool mikrotik?

 

*****************

мудрое решение создать файл /etc/persistent/rc.poststart с правами -rw-r--r--
Man Happy
думаю это не надолго.
за скрипт спасибо.

мы решили выключить lighttpd и сделать другую систему администрирования.

UBNT имеет аналог winbox tool mikrotik?

New Member
Posts: 3
Registered: ‎05-14-2016
Kudos: 3

Re: Virus attack - URGENT @UBNT

is to stop the attack , and then close all a firewall and that's enough

Highlighted
New Member
Posts: 11
Registered: ‎04-03-2014
Kudos: 4

Re: Virus attack - URGENT @UBNT

Hi, I have infected some versions 5.5.10 but not the 5.6.3, please UBNT check it and fix ASAP

New Member
Posts: 11
Registered: ‎05-14-2016

Re: Virus attack - URGENT @UBNT

[ Edited ]

I can not close the firewall - need access to the device from the external network to administer.
It seems to UBNT has utility for device management - it is necessary to try to establish.

After 20 minutes, again, the virus creates a new file and follow the steps Man Sad

 

********************

 

закрывать firewall не могу - нужен доступ к устройству из внешней сети для администрирования.
Кажется в UBNT была утилита для администрирования устройств - надо попробовать установить.

Спустя 20 минут снова вирус создал новые файлы и выполнил действия Man Sad

 

 

Безымянный.jpg

SuperUser
Posts: 16,476
Registered: ‎02-03-2013
Kudos: 9016
Solutions: 595
Contributions: 2

Re: Virus attack - URGENT @UBNT


@wisptelecom wrote:

I can not close the firewall - need access to the device from the external network to administer.


 

You can close the firewall, but allow access from the specific IP (or range) you use to administer.

ubiquiti certified trainer :: ubwa | uewa
New Member
Posts: 11
Registered: ‎05-14-2016

Re: Virus attack - URGENT @UBNT

on May 11-12, the network devices with mass global IP infected, you are not the only one Man Happy

******************

11-12 мая, масса устройств с глобальным IP в сети заражено, вы не один такой Man Happy

 

need only SSH or special API admin, like mikrotik winbox Man Happy

New Member
Posts: 1
Registered: ‎04-16-2008

Re: Virus attack - URGENT @UBNT

Hi,

 

born123 -> thanks for the script. Can you help, and add to the script auto change of http,https, and ssh ports to some non standard?

 

Info about them is located in:

/tmp/system.cfg

httpd.port=xxxx
httpd.https.port=xxxx

sshd.port=xxxx

 

I decided not to block access on http/https but to change def ports to some others at the moment.

SuperUser
Posts: 16,476
Registered: ‎02-03-2013
Kudos: 9016
Solutions: 595
Contributions: 2

Re: Virus attack - URGENT @UBNT


@popcorrin wrote:

This crap gets old.  

I tried chatting with support before I found this thread and he didn't even let me know that it was a known problem.  I called him out after I found this thread.  Pretty frustrating.  Then you get responses that you should be running the latest firmware and reading the forums every minute on the minute to make sure you know about the latest software exploit on ubnt radios.    Fanboys say the latest firmware is great in this thread but you don't have to search far to see one of them saying the opposite.  http://community.ubnt.com/t5/airMAX-M-Beta/5-6-4-XW-crash/m-p/1562862#U1562862

Which is it!

It's always the end user fault, never ubiquiti's.  Give me a break!


 

I agree that people trashing a new firmware release can give people cold feet about upgrading a radio that's been working flawlessly under older firmware.   

 

Every deployment is different, and there's always some esoteric bug that only affects very few people.   Reading these forums its hard for a casual reader to figure out whether a problem is rampant, or occurs with one radio in 100,000.   The rare problems get posted, the majority of the radios that work perfectly you never hear about.

 

Even I've been affected by negative posts.  I've had huge success for two years now with the Rocket TI XW's. The performance is amazing for M gear.  But I saw so many negative posts about TI's and firmware, that have been afraid to update them.  They're running perfectly with 2 year old firmware.  Every other radio on my network I've updated years ago, but not the flawlessly working TI's because I didn't want them to start working like all the negative stuff I was reading on the forum. 

 

The truth is I'm sure they'd work fine with the latest firmware.  And if it hadn't been for the negative posts, they would have been updated years ago.   

 

I guess the bottom line is that if there IS a problem, you can always go back to the previous firmware.  So the lesson from all this is to ignore the negative posts, upgrade to new firmware on a couple of devices.  If everything works ok after a few weeks, upgrade the rest.

 

 

 

ubiquiti certified trainer :: ubwa | uewa
New Member
Posts: 3
Registered: ‎05-14-2016
Kudos: 3

Re: Virus attack - URGENT @UBNT

[ Edited ]

@Wladys wrote:

Hi,

 

born123 -> thanks for the script. Can you help, and add to the script auto change of http,https, and ssh ports to some non standard?

 

Info about them is located in:

/tmp/system.cfg

httpd.port=xxxx
httpd.https.port=xxxx

sshd.port=xxxx

 

I decided not to block access on http/https but to change def ports to some others at the moment.


 

 

I think the ports ports bust pick up , so just cover from prying ip or disable web

Established Member
Posts: 1,209
Registered: ‎02-19-2010
Kudos: 72
Solutions: 1

Re: Virus attack - URGENT @UBNT

Why you already keep ancient version running? Why do you let 22 and 80 ports open towards the outside?
Dott. Elia Spadoni
---
Network Administrator
MTCNA, MTCRE, MTCTCE, MTCINE, MTCWE
Spadhausen Internet Provider
www.spadhausen.com
New Member
Posts: 11
Registered: ‎04-03-2014
Kudos: 4

Re: Virus attack - URGENT @UBNT

Hi,

 

This works for me but, the first loggin is mother  f u c k e r

 

After the first reboot this loggin not works and the old one not works too

 

Any idea?

New Member
Posts: 1
Registered: ‎05-14-2016

Re: Virus attack - URGENT @UBNT

Do anybody know, if firmware 5.6.4 is safe and solve vulnerability problem? Version 5.6.3 was attacked on several devices.

New Member
Posts: 11
Registered: ‎05-14-2016

Re: Virus attack - URGENT @UBNT

[ Edited ]

the virus can get to the router and an external network and a local - you thinking about that?
so antivirus solution for the commercial project should be to:
1. access to the port 22 only from the local IP address pool - one root administrator
2. The new stylized provider for the WEB UI router that does not allow mistakes in the CGI or PHP code, where the user sets the UI for web accessibility.


Now I can not trust the standard set of CGI scripts (AC or N product).
I'm going to try to make my version UI WEB.
The device support only CGI? PHP code processing can be customized?

If you are the provider - the large number of devices you can shine scrip, especially when UBNT allows vulnerability in CGI scripts ....

Firmware Update - how already tired of the countless new version - it's bad for the provider.
it's been more than 1 hour, the httpd is disabled, the device no viruses.

*******************

вирус может попасть на роутер и с внешней сети и с локальной - Вы об этом подумали?
поэтому решение защиты от вирусов для коммерческого проекта должно заключаться в:
1. доступ на порт 22 только с локального пула адресов IP - один суперпользователь администратор
2. новый стилизованный под провайдера WEB UI для роутера, не допускающий ошибок в CGI или PHP коде, где пользователь настраивает доступность UI для веб.


Теперь я не могу доверять стандартному набору CGI скриптов (AC or N product).
Я намерен попытаться сделать свой UI WEB.
Устройство поддерживаеть только CGI? обработку кода PHP можно настроить?

Если ты провайдер - то большое количество устройств может свети тебя сума, особенно когда UBNT допускает уязвимости в CGI скриптах....

Обновление прошивки - как же уже надоели эти бесчисленные новые версии - это плохо для провайдера.
прошло уже более 1 часа, httpd отключен, вирусов в устройстве нет.

 

 Безымянный.jpg

Member
Posts: 235
Registered: ‎04-23-2014
Kudos: 80
Solutions: 27

Re: Virus attack - URGENT @UBNT

As the devices are so configurable it is very difficult to test all scenarios, so there is a risk involved. I've found some newer versions introduce more problems then they solve.

 

It would be nice if Ubiquiti actually had stable / LTS branches of firmware that ONLY have security vulnerabilities patched to reduce the risks of doing upgrades. When the vulnerability currently being exploited was reported to Ubiquiti last summer resulting in the release of 5.6.2 for XM/XW devices (plus others for other platforms) it was only after many comments in the forums that 5.5.11(XM), 5.5.10-u2(XW) and 4.0.4(XS) were produced.

 

New Member
Posts: 11
Registered: ‎05-14-2016

Re: Virus attack - URGENT @UBNT

[ Edited ]

hole in all versions of CGI scripts - index, login and other

Established Member
Posts: 1,420
Registered: ‎05-18-2011
Kudos: 516
Solutions: 110
Contributions: 2

Re: Virus attack - URGENT @UBNT

[ Edited ]

If somebody here needs a solution to clean an entire radio network infected with this exploit, Ansible can be your friend to automatize all the entire work

 

ubiquiti_clean.yml

 

---
- name: Clean Ubiquiti Network
  hosts: ubiquitinetwork
serial: 1 gather_facts: False tasks: - name: Remove mf.tar raw: rm /etc/persistent/mf.tar ignore_errors: yes - name: Rm Poststart raw: rm /etc/persistent/rc.poststart ignore_errors: yes - name: Rm Persistent .mf raw: rm -R /etc/persistent/.mf ignore_errors: yes - name: Save persistent config raw: cfgmtd -p /etc/persistent/ -w ignore_errors: yes - name: Reboot device raw: reboot ignore_errors: yes

Hosts file:

 

[ubiquitinetwork]
#Replace 1.2.3.4 with your C class, range (1.2.3.[4-10]), or whatever
1.2.3.4 ansible_connection=ssh ansible_ssh_user=your_device_user ansible_ssh_pass=your_device_password

Add to your ansible.cfg

 

host_key_checking = False

Run playbook and breath:

 

ansible-playbook ubiquiti_clean.yml --force-handlers -v

 

New Member
Posts: 37
Registered: ‎01-31-2014
Kudos: 3

Re: Virus attack - URGENT @UBNT

amx Ubiquiti sell cheaps equipment with a good performance, also cams etc, but their products are filled of vulneabilities and problems like that.
I will prefer sell less products and make him moré stable.
Y como dicen en España, se lavan las manos cuando pasa algo asi.
Suerte amx

Reply