Vulnerable Service Path in UniFi Network Application
Vulnerability Summary
When specific conditions are present, it may be possible to exploit a vulnerable service path in UniFi Network Application to run arbitrary code as SYSTEM, making this a privilege escalation vulnerability. We tested this vulnerability on the latest version of the software and may be present in all previous versions.
The vulnerability was discovered and successfully exploited in a penetration test of a production server in January 2023 by Endure Secure.
Technical Details
Test Environment
Unifi Network Application for Windows
| Software | UniFi Network Application 7.3.76 for Windows |
| File Name | UniFi-installer.exe |
| SHA1 | ed11291c38e40a71b51bf34b923f89bc0a9ea778 |
| URL | https://dl.ui.com/unifi/7.3.76/UniFi-installer.exe |
Operating System
| Edition | Windows Server 2022 Standard |
| Version | 21H2 |
| OS Build | 20348.587 |
Conditions
This vulnerability may be exploited to run arbitrary code as SYSTEM by a low-privileged User with local access to a Windows host when the following conditions are met:
- Unifi Network Application for Windows has been installed. Tested on version 7.3.76 (previous versions are likely vulnerable).
- Unifi Network Application for Windows is running as a Windows Service. (https://help.ui.com/hc/en-us/articles/205144550-UniFi-Run-the-Network-Application-as-a-Windows-Service-Advanced)
- The Unifi service is running as SYSTEM (this is the default).
- The Unifi service is configured to start automatically.
- The User has permission to introduce a file into the <path>\Ubiquiti UniFi\bin directory (but does NOT have permission to replace the Unifi.exe file). This requires the ‘Create files / write data’ advanced permission.
Steps to Reproduce
- Create a Windows executable file and name it Unifi.
- Place the file in the <path>\Ubiquiti UniFi\bin directory.
- Trigger the Unifi service to restart – either manually or by restarting the system.
Explanation
This vulnerability shares similarities with ‘unquoted service path’ vulnerabilities (https://attack.mitre.org/techniques/T1574/009/) in that it exploits ambiguities in the ‘Path to executable’ setting of the Windows Service.
In default installations of the UniFi service, the Path to executable is “<path>\Ubiquiti UniFi\bin\UniFi” //RS//UniFi with <path> being whichever directory UniFi was installed in, for example, “C:\Users\Administrator\Ubiquiti UniFi\bin\UniFi” //RS//UniFi.
The executable that is launched from this location is UniFi.exe, and not UniFi. Where the file extension is omitted, Windows will still launch the file as an executable, so this works. However, as with the Unquoted Service Path vulnerability, Windows will launch the shortest valid path. So if a file called UniFi has been added into that directory, it will be launched instead.
In many cases, where a User is able to create a new file in a directory, they would be able to simply delete and replace all files in that directory. However, there are cases where a User is not able to delete or modify existing files, but is able to create files in the directory, using Advanced permissions:
Proof of Concept
We identified this vulnerability in January 2023, during a Penetration Test engagement of a customer network. In that instance, the UniFi directory was ‘C: \Ubiquiti UniFi’. Our low-privilege User account was able to create a file called ‘UniFi’ in the ‘C: \Ubiquiti UniFi\bin’ directory. This file was an executable coded in C that added our User account to the Local Administrators group:
#include <stdlib.h>
int main ()
{
int i;
i = system("net localgroup administrators server\endsec /add");
return 0;
}After triggering a restart of the system, our User was now an Administrator on the local machine.
Recommendations
Change the ‘Path to executable’ from:
"<path>\Ubiquiti UniFi\bin\UniFi" //RS//UniFiTo
"<path>\Ubiquiti UniFi\bin\UniFi.exe" //RS//UniFi