Showing posts from July, 2014


This CVE covers a vulnerability found in the Ubiquiti Networks AirVision application.  For more background on this particular vulnerability, check out this post: Exploiting misconfigured crossdomain.xml files In fact, I wrote that first crossdomain.xml blog post after finding this AirVision vulnerability back in February.  If you already read that post, you should recognize the vulnerable form I use for the POC here (adding an administrator), is the same one I used earlier. Here is a cleaned up version of what I sent to Ubiquiti back in February: AirVision Controller v2.1.3 - Overly Permissive default crossdomain.xml CWE-264: Misuse Case If the victim user is authenticated with their AirVision Controller, and they visit a malicious site, the owner of the malicious site can make changes to, and read data from, the AirVision Controller. The malicious site can even add a new administrative user account.   Vulnerable


Ubiquiti - UniFi Controller - Admin/root password hash sent via syslog CWE-310: Misuse case: An attacker who has access to network traffic between the UniFi controller and the configured syslog server, can retrieve the password hash and use it to access all managed access points, and potentially the UniFi controller as well.   Details:   If remote logging is enabled on the UniFi controller, the controller sends syslog messages to the configured syslog server. Contained within the syslog messages is the admin password hash that is used by both the UniFi controller, and all managed Access Points. In the screenshot below, the auth key and the encrypted password are highlighted in yellow. The password is encrypted using the legacy crypt(1) utility, which uses Traditional DES [128/128 BS SSE2], and can be recovered using John the Ripper: Note: The salt (and hash) changes each time the message is sent, but


This CVE covers three separate Ubiquiti Networks applications that are all vulnerable to CSRF: UniFi Controller mFi Controller AirVision Controller Ubiquiti - UniFi Controller v2.4.6 - Cross-site Request Forgery (CSRF) CWE-352: The UniFi application is vulnerable to CSRF in multiple locations.  The CWE link above has a great summary of the vulnerability.  In the POC below, I demonstrate how an unauthenticated attacker can send a malicious hyperlink to an authenticated administrator, and how if the administrator clicks on the link, the attacker can force the authenticated administrator to perform quite a few actions without knowing it.  The most serious POC involves the attacker causing the administrator to create a second administrator account.  The attacker can now log into the Unifi controller with this second account (if they have network access to the Unifi controller), and perform any actions that an administrator can