From fa3fd0ebf74bec206aece9286b770ff7dc4cc434 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sat, 30 May 2026 02:55:34 +0000 Subject: [PATCH] Add content from: Looting UniFi Controllers: Detecting and Weaponizing CVE-202... --- src/pentesting-web/file-inclusion/README.md | 40 +++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/src/pentesting-web/file-inclusion/README.md b/src/pentesting-web/file-inclusion/README.md index 54789064d34..55efd1642fb 100644 --- a/src/pentesting-web/file-inclusion/README.md +++ b/src/pentesting-web/file-inclusion/README.md @@ -256,6 +256,43 @@ It is the intended behaviour according to [the docs](https://docs.python.org/3.1 It looks like if you have a Path Traversal in Java and you **ask for a directory** instead of a file, a **listing of the directory is returned**. This won't be happening in other languages (afaik). + +## Error-triggered file reads in custom portal/resource loaders + +Some applications only consult a **user-controlled filename when rendering an error page**. If you can intentionally reach that error branch (wrong HTTP verb, missing required state, malformed object ID, invalid action token), the **error template parameter** becomes the traversal sink. + +```http +GET /guest/s/default/wechat/sign?page_error=../../../../.version +``` + +Typical pattern: + +- A request handler throws an error that is later copied into the request context. +- The error renderer reads a parameter such as `page_error`, `error_page`, or `template`. +- The selected path is streamed with code similar to `new FileInputStream(new File(baseDir + "/" + path))` or `IOUtils.copy(loader(path), res.getOutputStream())`. + +This is especially dangerous in **Java appliance portals** and branded login/guest portals where a **customized theme is loaded from disk**. If the app falls back to **bundled classpath resources** when customization is disabled, the same payload may only read harmless files from the JAR, producing false positives. + +### Safe validation when a bundled-resource fallback exists + +If the vulnerable route can read both **disk files** and **classpath/JAR resources**, avoid validating with secrets or with files that may exist in both places. + +1. **Calibrate traversal depth** with a common filename that exists in the normal application package. +2. **Confirm real filesystem access** with a **runtime-created disk-only file** (for example a generated catalog such as `firmware.json`). +3. Report different states instead of a simple yes/no: **vulnerable** (disk file read), **partially exposed** (only classpath hit), **not vulnerable**, **not exposed**. + +This avoids dumping secrets while also avoiding scanners that incorrectly flag a JAR resource as a successful arbitrary file read. + +### Extra checks once arbitrary file read is confirmed + +For **controllers / network appliances**, file read is usually more valuable than `/etc/passwd`: + +- **Predictable backup indexes** that reveal the real backup filename (e.g. `autobackup_meta.json` → download the referenced backup such as `.unf`). +- **Live database metadata** such as MongoDB/WiredTiger catalogs (`_mdb_catalog.wt`) to map interesting `collection-*.wt` files for offline recovery. +- **Application keystores** (`.p12`/`.pfx`/`PKCS12`), `system.properties`, and similar config files that can enable controller-to-device MITM, admin-hash cracking, or reuse of device/API credentials. + +Also test every connector that routes to the same servlet: **guest-portal paths may still answer on admin ports or reverse-proxied management listeners**, so blocking only the feature-specific port can miss real exposure. + ## Top 25 parameters Here’s list of top 25 parameters that could be vulnerable to local file inclusion (LFI) vulnerabilities (from [link](https://twitter.com/trbughunters/status/1279768631845494787)): @@ -844,6 +881,9 @@ Tune the number of `../` segments until you escape the intended directory, then - [Positive Technologies – Blind Trust: What Is Hidden Behind the Process of Creating Your PDF File?](https://swarm.ptsecurity.com/blind-trust-what-is-hidden-behind-the-process-of-creating-your-pdf-file/) - [HTB: Imagery (admin log download traversal + `/proc/self/environ` read)](https://0xdf.gitlab.io/2026/01/24/htb-imagery.html) - [HTB: Gavel](https://0xdf.gitlab.io/2026/03/14/htb-gavel.html) +- [Bishop Fox – Looting UniFi Controllers: Detecting and Weaponizing CVE-2026-22557](https://bishopfox.com/blog/looting-unifi-controllers-detecting-and-weaponizing-cve-2026-22557) +- [Bishop Fox – CVE-2026-22557 safe checker](https://github.com/BishopFox/CVE-2026-22557-check) +- [Ubiquiti Security Advisory Bulletin 062](https://community.ui.com/releases/Security-Advisory-Bulletin-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b) {{#file}} EN-Local-File-Inclusion-1.pdf