mFiPatchMe is the unofficial security patch for Ubiquiti Networks mFi Controller 2.1.11
On September 3, 2015 SecuriTeam disclosed a vulnerability in the Ubiquiti Networks mFi Controller, a software to configure and control automation devices such as power outlets, light/motion/temperature sensors, etc. To understand the capabilities of the machine-to-machine platform, please have a look at the vendor page.
The security flaw allows an attacker to retrieve the current admin password due to a bypass in the authentication mechanism used by the mFi Controller Server.
Just few hours after the public release of the SSD Advisory – Ubiquiti Networks mFi Controller Server Authentication Bypass, the page was removed to accommodate the vendor's request since a patch was not available for download. According to the advisory and Noam Rathaus's tweet, the vendor was aware of this critical vulnerability since the beginning of July 2015.
Considering that the advisory published on 09/03/2015 contained a technical description of the vulnerability, including a reliable exploit, it is reasonable to assume that the security flaw can be easily abused by unsophisticated attackers. While the information was removed from the SecuriTeam website and /r/netsec, a quick search on Google is sufficient to find the exploit for this bug.
Despite the public exposure, Ubiquiti has yet to publish a patch.
After waiting patiently for a few weeks, I created my own patch. Using mFiPatchMe, you will be able to easily patch your controller and leave it running without worries. As it took me one hour to create a fix without preliminary knowledge of the codebase, it's surprising that Ubiquiti has not released a solution for this security issue.
Disclaimer: This is NOT an official patch provided by Ubiquiti Networks. Use at your own risk! The patch tool does NOT include any Ubiquiti Networks' code, library or resources.
How to patch your Ubiquiti mFi Controller 2.1.11 (Linux)
- Download the patch tool JAR, or compile it yourself using the code in this repository.
- Stop the mFi controller service
$sudo /etc/init.d/mfi stop
- Go to the mFi controller directory
- Optionally, make a backup of the mFi controller JAR
$cp ace.jar aceORI.jar
- Run the patch tool on the mFi controller JAR (ace.jar)
$java -jar UbntmFiPatchMe.jar -file ace.jarand follow the instructions
- Once completed, start again the mFi controller service
$sudo /etc/init.d/mfi start
At this point, the controller should work as usual. From my preliminary tests, the patch seems to work without side effects. While these instructions are for Linux only, the same patch tool can be used for Ubiquiti mFi Controller 2.1.11 on Mac OS X and Windows.
java -jar UbntmFiPatchMe.jar -file ace.jar --[ UbntmFiPatchMe v0.1 - @_ikki ] [*] Opening Ubiquiti mFi Controller's jar "ace.jar" [*] Patching "com/ubnt/ace/view/AuthFilter" class [*] Ready to update "ace.jar". Are you sure? (yes/no) >yes [*] Executing "jar -uvf ace.jar -C /tmp/com/ubnt/ace/view/AuthFilter.class" [*] Patched
Under the hood
Since the vulnerability details have been removed from the Internet (oh, sure!), I will refrain from providing specific details here. At high level, the patch tool is simply looking for the vulnerable code and modifying the original Java class to perform URL decoding and normalization. Javassist is used here to manipulate the JVM bytecode. Thanks to the ExprEditor implementation, it is possible to modify the body of a method with a simple strategy pattern.