Skip to content

Looting UniFi Controllers Detecting and Weaponizing CVE-2026... #2298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Looting UniFi Controllers Detecting and Weaponizing CVE-2026... #2298

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions src/pentesting-web/file-inclusion/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,43 @@ It is the intended behaviour according to [the docs](https://docs.python.org/3.1

It looks like if you have a Path Traversal in Java and you **ask for a directory** instead of a file, a **listing of the directory is returned**. This won't be happening in other languages (afaik).


## Error-triggered file reads in custom portal/resource loaders

Some applications only consult a **user-controlled filename when rendering an error page**. If you can intentionally reach that error branch (wrong HTTP verb, missing required state, malformed object ID, invalid action token), the **error template parameter** becomes the traversal sink.

```http
GET /guest/s/default/wechat/sign?page_error=../../../../.version
```

Typical pattern:

- A request handler throws an error that is later copied into the request context.
- The error renderer reads a parameter such as `page_error`, `error_page`, or `template`.
- The selected path is streamed with code similar to `new FileInputStream(new File(baseDir + "/" + path))` or `IOUtils.copy(loader(path), res.getOutputStream())`.

This is especially dangerous in **Java appliance portals** and branded login/guest portals where a **customized theme is loaded from disk**. If the app falls back to **bundled classpath resources** when customization is disabled, the same payload may only read harmless files from the JAR, producing false positives.

### Safe validation when a bundled-resource fallback exists

If the vulnerable route can read both **disk files** and **classpath/JAR resources**, avoid validating with secrets or with files that may exist in both places.

1. **Calibrate traversal depth** with a common filename that exists in the normal application package.
2. **Confirm real filesystem access** with a **runtime-created disk-only file** (for example a generated catalog such as `firmware.json`).
3. Report different states instead of a simple yes/no: **vulnerable** (disk file read), **partially exposed** (only classpath hit), **not vulnerable**, **not exposed**.

This avoids dumping secrets while also avoiding scanners that incorrectly flag a JAR resource as a successful arbitrary file read.

### Extra checks once arbitrary file read is confirmed

For **controllers / network appliances**, file read is usually more valuable than `/etc/passwd`:

- **Predictable backup indexes** that reveal the real backup filename (e.g. `autobackup_meta.json` → download the referenced backup such as `.unf`).
- **Live database metadata** such as MongoDB/WiredTiger catalogs (`_mdb_catalog.wt`) to map interesting `collection-*.wt` files for offline recovery.
- **Application keystores** (`.p12`/`.pfx`/`PKCS12`), `system.properties`, and similar config files that can enable controller-to-device MITM, admin-hash cracking, or reuse of device/API credentials.

Also test every connector that routes to the same servlet: **guest-portal paths may still answer on admin ports or reverse-proxied management listeners**, so blocking only the feature-specific port can miss real exposure.

## Top 25 parameters

Here’s list of top 25 parameters that could be vulnerable to local file inclusion (LFI) vulnerabilities (from [link](https://twitter.com/trbughunters/status/1279768631845494787)):
Expand Down Expand Up @@ -844,6 +881,9 @@ Tune the number of `../` segments until you escape the intended directory, then
- [Positive Technologies – Blind Trust: What Is Hidden Behind the Process of Creating Your PDF File?](https://swarm.ptsecurity.com/blind-trust-what-is-hidden-behind-the-process-of-creating-your-pdf-file/)
- [HTB: Imagery (admin log download traversal + `/proc/self/environ` read)](https://0xdf.gitlab.io/2026/01/24/htb-imagery.html)
- [HTB: Gavel](https://0xdf.gitlab.io/2026/03/14/htb-gavel.html)
- [Bishop Fox – Looting UniFi Controllers: Detecting and Weaponizing CVE-2026-22557](https://bishopfox.com/blog/looting-unifi-controllers-detecting-and-weaponizing-cve-2026-22557)
- [Bishop Fox – CVE-2026-22557 safe checker](https://github.com/BishopFox/CVE-2026-22557-check)
- [Ubiquiti Security Advisory Bulletin 062](https://community.ui.com/releases/Security-Advisory-Bulletin-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b)

{{#file}}
EN-Local-File-Inclusion-1.pdf
Expand Down