web crash reboot unrecoverily
Overview
* Type: crash
* Supplier: UniFi (https://www.ui.com/)
* Product: EdgeMax EdgeRouter-x, latest firmware version v2.0.9-hotfix.6
* Firmware download: https://www.ui.com/download/edgemax/edgerouter-x/er-x
* Affect version: v2.0.9-hotfix.6
Description
One malformed request makes the web service of the router crash and cannot recover through rebooting. The device can be recovered only by reset.
Business Impact
This vulnerability is easily exploited with only one packet and can result in the affected devices crashed and can only recover from reset. Thus the vulnerability is very dangerous which could also result in reputational damage for the business through the impact on customers' trust.
Steps to Reproduce
I have put the PoC (exp.py) in the next section. Configure several parameters, and execute it, the device's web service will crash. The parameters are as below:
- username, password: user who is the administrator on the web (default: ubnt, ubnt).
- device_web_ip: web IP address of the target device.
Proof of Concept
After executing the POC script, you will find the device web service is crashed. You can retry to visit the device's web through the browser or telnet device's web service port(telnet 192.168.1.1 443) to check router status.