yilhar amalei raynold
Magdalena Liendo
Ubiquiti Networks has designed the first airMAX ac radios with high performance and ease of installation in mind. You have the freedom to deploy the Rocket ac anywhere in the world, and it allows for a high degree of flexibility in configuring channel bandwidths (subject to local country regulations).
The Rocket ac is available as three models: the Rocket5ac Lite, Rocket5ac PtP, and Rocket5ac PtMP. All three include airMAX ac technology. The Rocket5ac PtP and Rocket5ac PtMP also feature airPrism technology to further enhance performance.
Launched with PtP functionality, the Rocket5ac Lite adds PtMP functionality with a firmware upgrade to airOS v7.1 or higher. The Rocket5ac Lite is a cost-effective basestation for links experiencing low or moderate levels of interference.
Featuring Ubiquiti's airPrism technology, the Rocket5ac PtP is designed for optimal PtP performance, although it can operate in PtMP mode. To take full advantage of its design and capabilities, deploy the Rocket5ac PtP for PtP links in noisy, high-density areas.
Also featuring Ubiquiti's airPrism technology, the Rocket5ac PtMP is designed for optimal PtMP performance, although it can operate in PtP mode. To take full advantage of its capabilities, deploy the Rocket5ac PtMP for PtMP links to airMAX ac CPEs located in crowded RF environments.
Unlike the standard WiFi protocol, Ubiquiti's Time Division Multiple Access (TDMA) airMAX protocol allows each client to send and receive data using pre-designated time slots scheduled by an intelligent AP controller.
This "time slot" method eliminates hidden node collisions and maximizes air time efficiency. It provides many magnitudes of performance improvements in latency, throughput, and scalability compared to all other outdoor systems in its class.
Ubiquiti's airMAX engine with custom IC dramatically improves TDMA latency and network scalability. The custom silicon provides hardware acceleration capabilities to the airMAX scheduler, to support the high data rates and dense modulation used in airMAX ac technology.
Improves SNR
High data rates require a high Signal-to-Noise Ratio (SNR), which is challenging to achieve, especially in noisy, high-density areas. Integrated into Ubiquiti's custom silicon, airPrism technology creates a high SNR by isolating signals within the operating channel and rejecting interference using specialized circuitry, the High-Selectivity Receiver (HSR).
Removes Interference
Depending on the product model and operating mode, available channel widths may include 10, 20, 30, 40, 50, 60, and/or 80 MHz. Theoretically APs operate on different channels; however, because of the wider channel bandwidths, there can be overlap in spectrum usage. airPrism technology removes up to an additional 30+ dB of adjacent channel interference through the active filtering design, so an airMAX ac AP with airPrism technology can provide significantly greater performance than a typical AP.
Facilitates AP Co-Location
Co-location is vital in many scenarios. For example, a WISP may have limited tower space, so it must co-locate all APs within that allotted footprint. Shielding and other means can lessen interference but may be impractical. By deploying airMAX ac APs with airPrism technology, you can co-locate APs and enhance the overall performance of your wireless network.
AirOS is an intuitive, versatile, highly developed Ubiquiti firmware technology that resides on Ubiquiti Station products. It is exceptionally intuitive and was designed to require no training to operate. Behind the user interface is a powerful firmware architecture which enables hi-performance outdoor multipoint networking.
An independent processor on the PCBA powers a second, dedicated radio, which persistently analyzes the full 5 GHz spectrum and every received symbol to provide you with the most advanced RF analytics in the industry.
This time-based graph shows the aggregate energy collected since the start of an AirView session, over time for each frequency. The power of the energy in dBm is shown across the frequency span and one row is inserted in this graph every few seconds.
It is important to note that the color of the energy designates its amplitude. The darker colors (Blues and darker shades) mean very low to low energy levels at that frequency bin, whereas increasingly brighter colors (ie: Green, Yellow, Orange, and finally Red) designate increasingly higher energy levels at the specific frequency bin.
The Waterfall View's legend (top-right corner) provides a numerical guide associating the various colors to power levels (dBm). The low end of that legend (left) is always adjusted with the calculated noise floor, and the high end (right) is set to the highest detected power level since the start of the session.
This graph is ideal for determining the best channel to setup a WiFi network for optimal performance. In the graph, each 2.4GHz WiFi channel is represented by a bar displaying a percentage representing the relative "crowdedness" of that specific channel.This percentage is calculated by analyzing both the popularity and the strength of RF energy in that channel since the start of a AirView session. An installer could use this view to optimize a network installation by avoiding highly used channels and setting up new AP's on channels showing the least usage.
This graph shows the aggregate energy collected since the start of an AirView Session. The power of the energy in dBm is shown across the frequency span. A Blue color will mean energy at a particular strength and frequency appears in the air with a relatively low occurence, whereas increasingly brighter colors (ie: Green, Yellow, Orange, and finally Red) designate energy appearing at a specific power/frequency with higher occurrence. The spectral view over time will essentially display the steady-state RF energy signature of a given environment. An installer could use this view to optimize a network installation by avoiding highly used channels and setting up new AP's on channels showing the least usage.
This graph displays a traditional Spectrum Analyzer in which energy (in dBm) is shown real-time as a function of frequency. There are three traces in this view: Max Hold, this trace will update and hold maximum power levels across the frequency since the start of an AirView session. Average, this trace shows the running average energy across frequency. Real-time, this trace shows the real-time energy seen by the AirView device as a function of frequency.
TOUGHCable CARRIER is a Category 6, outdoor, carrier-class shielded cable that features an integrated ESD drain wire, anti-crosstalk divider, and secondary shielding. It is rated to provide optimal performance on Gigabit Ethernet networks.
Specifically designed for use with Ubiquiti TOUGHCable, TOUGHCable Connectors protect against ESD attacks and Ethernet hardware damage, while allowing rapid field deployment without soldering. The standard TOUGHCable Connectors are available in a box of 100, while the TC-GND versions include ground wires and are available in a box of 20.
To connect your PoE devices, simply enable PoE in the easy-to-use TOUGHSwitch Confi guration Interface. Each port can be individually confi gured to provide PoE, so both PoE and non-PoE devices can be connected.
After seeing this arbitrary command execution vulnerability in Ubiquiti equipment, discovered by SEC Consult, I was intrigued. In that bug, code that would have been secure on a more recent version of PHP was rendered vulnerable because of the ancient PHP version used (2.0.1, which is nearly 20 years old). I wanted to see what other bugs might be caused by PHP that works in unexpected ways.
If someone has generated and subsequently used a login ticket since the last reboot, there will be an empty database of tickets in /tmp/.tickets.tdb (since all tickets have been used and removed from the database). This is the situation that opens the vulnerability.
We provide a non-empty ticket ID as a URL parameter ticketid. This is passed to the /bin/ma-show binary, which looks for that ticket ID in the ticket database. If that ticket is found, ma-show prints out the contents of the ticket and returns a zero exit code to indicate success (otherwise it returns a non-zero exit code). The PHP code parses the content of the ticket to find out which user the ticket is for, and finally it creates a logged-in session for that user using the ma-auth binary (the same binary that is used to create a session during a regular login).
Okay, so how can this go wrong? Well, ma-show actually has a bonus feature. If you call it with no ticket ID argument, it prints out every ticket in its database, and sets its exit code to the number of tickets that it printed out. We can trigger this by passing a single space character in as our ticket ID. Since the shell will treat it as whitespace and discard it, ma-show will only see one argument on its command line.
This is where the magic of PHP 2 comes in. In PHP 2, when you add a parameter to the URL, it causes that value to be set into a global variable with the same name as the parameter (what newer versions of PHP would call register globals). And the exec() command appends its output to whatever is already in the $lines array. So we can supply a ?lines[]= parameter in the URL to effectively add our own user grant to the otherwise-empty output of the first exec() call.
One way of achieving this mitigation would be to create two random tickets at a time, one of which will never be consumed, so that the ticket database is never emptied. If you were building your own custom authentication system on top of the ticket functionality, this is what you could do to avoid the vulnerability when used against older firmware.
c01484d022