Ubiquiti Community - Intrusion prevention triggered by opening web interface - ET EXPLOIT Razer Sila Router - LFI Attempt Inbound (No CVE)

Originally posted in Ubiquity Support Forms:
https://community.ui.com/questions/Intrusion-prevention-triggered-by-opening-web-interface-ET-EXPLOIT-Razer-Sila-Router-LFI-Attempt-In/b97ec140-d80b-4bb5-8dc8-c9bc268a41ab

I have an openWRT access point that I use for my garage together with my UniFi network ( as garage is far away the WiFi signals don’t touch each other, and I use that because I don’t care much, it’s just to open google map when leaving garage)

Issue is that when I open OpenWRT interface ( 192.168.88.3) from my MacBook (192.168.88.21) I get intrusion prevention notification. Every time. This is how the notification looks:

I don’t get what the hell does this mean. I researched this issue but didn’t find anything useful, and openWRT is pretty basic, recently reinstalled and configured as “Dumb Access Point”.

Hopefully someone can give more insights. Thanks

1 Like

Response from Emerging Threats Team:

This signature 2035955 and 2035956 were created to detect two similar exploits on Razer Sila Routers, as the signature name suggests there isn’t a CVE assigned but I’ve included the links to exploit-db which contain the relevant POC’s.

The way that the exploit works is that it takes advantage of the python-ubus-rpc which allows remote calls to OpenWRT’s microbus architecture (ubus) to run privileged shell commands. Take the following POST for example which attempts to read /etc/passwd.

POST /ubus/ HTTP/1.1
Host: 192.168.8.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

{"jsonrpc":"2.0","id":3,"method":"call","params":["4183f72884a98d7952d953dd9439a1d1","file","read",{"path":"/etc/passwd"}]}

The Problem:

If you have the rpcd-mod-file plugin installed it will allow calls to /ubus/ which lets users remotely perform several file actions such as read, write, list, execute. The two signatures we have in our ruleset were created to detect abuses of these procedures but the rules are firing on legitimate requests. I’m not sure why those requests are being sent when you access OpenWRT’s web interface but if you can share a pcap or the POST request that occurs when you log in we should be able to see what file procedure is being called.

The Fix:

We’ve disabled these signatures in today’s (2023/03/07) release and will get some more specific signatures out this week that should mitigate false positives like this in the future.

I’ve taken the liberty of cross-posting this to our support forms here. If you have questions on other ET alerts feel free to reach out to us directly at https://community.emergingthreats.net. Let us know if you have any other questions and we’re happy to help!

Signatures:

ET EXPLOIT Razer Sila Router - Command Injection Attempt Inbound (No CVE) - 2035955

ET EXPLOIT Razer Sila Router - LFI Attempt Inbound (No CVE) - 2035956

Exploit DB References:

2 Likes