Ubiquiti exposed a Jenkins server on the internet without any authentication, this allowed me to reach the AWS metadata service and execute code on the server itself. They resolved the issue and rewarded a bounty within 30 minutes of reporting, really impressive.
First of all. I'm not 100% able to verify that this server is actually owned by Ubnt as there are multiple DNS Name's in the SSL certificate.
DNS Name: *.uum.com DNS Name: *.ubnt.com DNS Name: *.svc.ubnt.com DNS Name: *.api.uum.com DNS Name: *.svc.uum.com DNS Name: uum.com
You can execute code on it by going to: https://126.96.36.199/script and insert the following code:
Result: bin boot dev docker-java-home etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
It also allows reaching the AWS metadata server:
ami-id ami-launch-index ami-manifest-path block-device-mapping/ hostname iam/ instance-action instance-id instance-type local-hostname local-ipv4 mac metrics/ network/ placement/ profile public-hostname public-ipv4 public-keys/ reservation-id security-groups services/