SlideShare a Scribd company logo

Unifi securitybugs sep2013

T
testslidesha12
1 of 4
Download to read offline
Security bugs discovered in Ubiquiti Unifi Controller Affected Component: Testing was performed on v3.1.4 (Linux). Stable versions and other platforms may be affected as well. Credits: Luca Carettoni #1 Insecure Java Random() to generate secret tokens - HIGH RISK java.util.Random is used across the entire codebase to generate secret tokens, such as session cookies, AP auth keys and reset tokens. This class is not suitable for strong random strings generation. Under some circumstances, it seems practical to predict the reset password token and compromise the admin account, which would lead to full compromise of the entire platform. In the Java version shipped with the Unifi controller, Random() depends on the time in nanosecond and a static seed. 77 public Random() { this(++seedUniquifier + System.nanoTime()); } 78 private static volatile long seedUniquifier = 8682522807148012L; Considering that a single instance of Random() is used across the Unifi Controller and multiple method invokes nextInt() (thus modifying the seed state), the exploitability of this issue is not trivial. In order to predict a token and compromise the application, an attacker would require: • Admin email • Time nanosecond of com.ubnt.ace.E class loading • Exact sequence of previous usage (e.g. how many reset tokens have been generated) A realistic attack can occur just after a reboot of the controller, as the application would be in a "clean" state. By invoking the recover password request and inspecting the HTTP response Date header, an attacker could predict with good approximation the time of the server Having that information, it is feasible to bruteforce the actual Random seed used by the remote server, using the following pseudocode:
As the controller code does not limit the number of verify token requests, it is possible to validate the generated tokens. According to my preliminary testing, the attack is possible although it would require several hours to succeed. Random() must be replaced with SecureRandom(). #2 System-wise Cross Site Request Forgery - HIGH RISK Unifi Controller does not protect the application against Cross-Site-Request-Forgery (CSRF) attacks. Please refer to http://en.wikipedia.org/wiki/Cross-site_request_forgery. For instance, it would be possible to override arbitrary options within system.properties that could eventually lead to full-compromise (e.g. by appending malicious MongoDB parameters). The following is an example of a malicious HTML page that would create the key "CSRF = CSRF". Another malicious abuse consists into forcing a change password using an attacker-controlled value. See bug #3. The application must use anti-CSRF arbitrary tokens to prevent those attacks. This is a standard practice in modern web applications. #3 Change password does not require old password - MEDIUM RISK As mentioned in #2, Unifi Controller does not require the old admin password while changing credentials. This is an insecure design that can be easily abused by malicious users. Any session hijacking vulnerability or CSRF could result in full compromise.
#4 Frameable response (ClickJacking) - MEDIUM RISK It might be possible for a web page controlled by an attacker to load the content Unifi web controller within an iframe on the attacker's page. This may enable a "clickjacking" attack (https://www.owasp.org/index.php/Clickjacking), in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions. To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself. #5 Credentials are saved in plain-text within MongoDB - MEDIUM RISK Administration credentials are stored in plain-text (within ace, db.admin.find()) and displayed in clear-text within the Unifi Controller web interface. From the security standpoint, this is a bad practice; many types of vulnerability, such as weaknesses in session handling, broken access controls, and cross-site scripting, would enable an attacker to leverage this behavior to retrieve the passwords of other application users. Considering that the same credential is used by all APs SSH, this departure from best practice allows to compromise the entire platform. #6 Multiple Cross-Site Scripting vulnerabilities (Stored and Reflected) in /api/, abusing Internet Explorer content sniffing - LOW RISK Multiple /api/ endpoints allow to inject arbitrary HTML tags, as illustrated in the example below • /api/s/default/get/setting • /api/s/default/set/setting/connectivity • /api/s/default/set/setting/country • /api/s/default/set/setting/guest_access • /api/s/default/set/setting/mgmt • /api/s/default/set/setting/rsyslogd • /api/s/default/set/setting/snmp
• /api/s/test/set/setting/guest_access The user-supplied <a> tag is included within the response body; This behavior demonstrates that it is possible to inject new HTML tags into the returned document. This behavior can be abused by an attacker to perform Cross-Site Scripting against Internet Explorer users. JSON responses use the content-type application/json; the problem is that the default mime type list of Internet Explorer does not include that mime-type, thus it is possible to force the browser to sniff the content and display the page as HTML. For all technical details, please refer to http://blog.watchfire.com/wfblog/2011/10/json-based-xss- exploitation.html The author covers in great detail a possible technique. To prevent Content-Type sniffing in Internet Explorer and mitigate this attack, the application must include the following HTTP header in all HTTP responses: X-Content-Type-Options: nosniff Please refer to http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx

Recommended

AtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlassian
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 
Flashack
FlashackFlashack
Flashackn|u - The Open Security Community
 
persentation
persentationpersentation
persentationvinaykumarmahla
 
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...DevDay.org
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesMindfire Solutions
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 

Recommended

AtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlassian
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 
Flashack
FlashackFlashack
Flashackn|u - The Open Security Community
 
persentation
persentationpersentation
persentationvinaykumarmahla
 
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...DevDay.org
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesMindfire Solutions
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equalAri Elias-Bachrach
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Sumanth Damarla
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Frameworkn|u - The Open Security Community
 
Information gathering
Information gatheringInformation gathering
Information gatheringMoTechInc
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security TopicsShawn Gorrell
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksRuss McRee
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseSurya Subhash
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applicationsMohammed A. Imran
 
Is word press vulnerable to xss and sql injections
Is word press vulnerable to xss and sql injectionsIs word press vulnerable to xss and sql injections
Is word press vulnerable to xss and sql injectionsssusercc9654
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net FrameworkRamakanta Behera
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5Jayesh Patel
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Linuxmalaysia Malaysia
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
BeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation FrameworkBeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation Frameworkawiasecretary
 
Makalah biologi
Makalah biologiMakalah biologi
Makalah biologimelanisha
 
Creativity Lego เอก
Creativity Lego เอก Creativity Lego เอก
Creativity Lego เอกeakchait
 

More Related Content

What's hot

How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equalAri Elias-Bachrach
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Sumanth Damarla
 
Information gathering
Information gatheringInformation gathering
Information gatheringMoTechInc
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security TopicsShawn Gorrell
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksRuss McRee
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseSurya Subhash
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applicationsMohammed A. Imran
 
Is word press vulnerable to xss and sql injections
Is word press vulnerable to xss and sql injectionsIs word press vulnerable to xss and sql injections
Is word press vulnerable to xss and sql injectionsssusercc9654
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net FrameworkRamakanta Behera
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
BeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation FrameworkBeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation Frameworkawiasecretary
 

What's hot (20)

How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equal
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполнения
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Framework
 
Information gathering
Information gatheringInformation gathering
Information gathering
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & Defense
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
 
Is word press vulnerable to xss and sql injections
Is word press vulnerable to xss and sql injectionsIs word press vulnerable to xss and sql injections
Is word press vulnerable to xss and sql injections
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net Framework
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
BeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation FrameworkBeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation Framework
 

Viewers also liked

Makalah biologi
Makalah biologiMakalah biologi
Makalah biologimelanisha
 
Creativity Lego เอก
Creativity Lego เอก Creativity Lego เอก
Creativity Lego เอกeakchait
 
Autonomic Management of Cloud Applications with Tonomi, Gluecon Keynote, 2015
Autonomic Management of Cloud Applications with Tonomi, Gluecon Keynote, 2015Autonomic Management of Cloud Applications with Tonomi, Gluecon Keynote, 2015
Autonomic Management of Cloud Applications with Tonomi, Gluecon Keynote, 2015Victoria Livschitz
 
установка колонн летучек
установка колонн летучекустановка колонн летучек
установка колонн летучекgeoplast2007ru
 
Using Capifony for Symfony apps deployment.
Using Capifony for Symfony apps deployment.Using Capifony for Symfony apps deployment.
Using Capifony for Symfony apps deployment.Žilvinas Kuusas
 
IT Nation 2014 breakout
IT Nation 2014 breakoutIT Nation 2014 breakout
IT Nation 2014 breakoutGina Tragos
 
Revamping the math classroom
Revamping the math classroomRevamping the math classroom
Revamping the math classroomcamille541
 
الأغراء الحقيقى
الأغراء الحقيقىالأغراء الحقيقى
الأغراء الحقيقىEslam Ashraf
 
طريقنا الى القلوب!
طريقنا الى القلوب!طريقنا الى القلوب!
طريقنا الى القلوب!Eslam Ashraf
 
Enterprise in your degree - Neil Coles
Enterprise in your degree - Neil ColesEnterprise in your degree - Neil Coles
Enterprise in your degree - Neil ColesHEA_AH
 
Enhancing employability through enterprise education: BSc Business Enterprise...
Enhancing employability through enterprise education: BSc Business Enterprise...Enhancing employability through enterprise education: BSc Business Enterprise...
Enhancing employability through enterprise education: BSc Business Enterprise...HEA_AH
 
Autonomic Application Delivery with Tonomi
Autonomic Application Delivery with TonomiAutonomic Application Delivery with Tonomi
Autonomic Application Delivery with TonomiVictoria Livschitz
 
Aleksander Królikowski
Aleksander KrólikowskiAleksander Królikowski
Aleksander KrólikowskiDysk
 
Hand wrist exercises
Hand wrist exercisesHand wrist exercises
Hand wrist exercisestpeda65
 
Лабораторна робота LR4-5_4-5.1_kozachenko
Лабораторна робота LR4-5_4-5.1_kozachenkoЛабораторна робота LR4-5_4-5.1_kozachenko
Лабораторна робота LR4-5_4-5.1_kozachenkokozachenko2019
 
High availability is not a luxury webcast
High availability is not a luxury webcastHigh availability is not a luxury webcast
High availability is not a luxury webcastGina Tragos
 

Viewers also liked (20)

Makalah biologi
Makalah biologiMakalah biologi
Makalah biologi
 
Creativity Lego เอก
Creativity Lego เอก Creativity Lego เอก
Creativity Lego เอก
 
Autonomic Management of Cloud Applications with Tonomi, Gluecon Keynote, 2015
Autonomic Management of Cloud Applications with Tonomi, Gluecon Keynote, 2015Autonomic Management of Cloud Applications with Tonomi, Gluecon Keynote, 2015
Autonomic Management of Cloud Applications with Tonomi, Gluecon Keynote, 2015
 
установка колонн летучек
установка колонн летучекустановка колонн летучек
установка колонн летучек
 
Using Capifony for Symfony apps deployment.
Using Capifony for Symfony apps deployment.Using Capifony for Symfony apps deployment.
Using Capifony for Symfony apps deployment.
 
IT Nation 2014 breakout
IT Nation 2014 breakoutIT Nation 2014 breakout
IT Nation 2014 breakout
 
One pagepdf
One pagepdfOne pagepdf
One pagepdf
 
Revamping the math classroom
Revamping the math classroomRevamping the math classroom
Revamping the math classroom
 
скс
сксскс
скс
 
الأغراء الحقيقى
الأغراء الحقيقىالأغراء الحقيقى
الأغراء الحقيقى
 
طريقنا الى القلوب!
طريقنا الى القلوب!طريقنا الى القلوب!
طريقنا الى القلوب!
 
Enterprise in your degree - Neil Coles
Enterprise in your degree - Neil ColesEnterprise in your degree - Neil Coles
Enterprise in your degree - Neil Coles
 
Enhancing employability through enterprise education: BSc Business Enterprise...
Enhancing employability through enterprise education: BSc Business Enterprise...Enhancing employability through enterprise education: BSc Business Enterprise...
Enhancing employability through enterprise education: BSc Business Enterprise...
 
Autonomic Application Delivery with Tonomi
Autonomic Application Delivery with TonomiAutonomic Application Delivery with Tonomi
Autonomic Application Delivery with Tonomi
 
非リア充
非リア充非リア充
非リア充
 
Aleksander Królikowski
Aleksander KrólikowskiAleksander Królikowski
Aleksander Królikowski
 
Hand wrist exercises
Hand wrist exercisesHand wrist exercises
Hand wrist exercises
 
Лабораторна робота LR4-5_4-5.1_kozachenko
Лабораторна робота LR4-5_4-5.1_kozachenkoЛабораторна робота LR4-5_4-5.1_kozachenko
Лабораторна робота LR4-5_4-5.1_kozachenko
 
High availability is not a luxury webcast
High availability is not a luxury webcastHigh availability is not a luxury webcast
High availability is not a luxury webcast
 
INTERNET PROTOCOL
INTERNET PROTOCOLINTERNET PROTOCOL
INTERNET PROTOCOL
 

Similar to Unifi securitybugs sep2013

Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Report on xss and do s
Report on xss and do sReport on xss and do s
Report on xss and do smehr77
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryNikola Milosevic
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019Alexander Master
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
logout.php Session Data after Logout Username Email . $_.docx
logout.php Session Data after Logout Username Email . $_.docxlogout.php Session Data after Logout Username Email . $_.docx
logout.php Session Data after Logout Username Email . $_.docxsmile790243
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesVi Tính Hoàng Nam
 
Secure Android Development
Secure Android DevelopmentSecure Android Development
Secure Android DevelopmentShaul Rosenzwieg
 
17726 bypassing-phpids-0.6.5
17726 bypassing-phpids-0.6.517726 bypassing-phpids-0.6.5
17726 bypassing-phpids-0.6.5Attaporn Ninsuwan
 

Similar to Unifi securitybugs sep2013 (20)

Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Report on xss and do s
Report on xss and do sReport on xss and do s
Report on xss and do s
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
 
T04505103106
T04505103106T04505103106
T04505103106
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
logout.php Session Data after Logout Username Email . $_.docx
logout.php Session Data after Logout Username Email . $_.docxlogout.php Session Data after Logout Username Email . $_.docx
logout.php Session Data after Logout Username Email . $_.docx
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
 
Secure Android Development
Secure Android DevelopmentSecure Android Development
Secure Android Development
 
17726 bypassing-phpids-0.6.5
17726 bypassing-phpids-0.6.517726 bypassing-phpids-0.6.5
17726 bypassing-phpids-0.6.5
 

More from testslidesha12

Ha cluster -Public to Private
Ha cluster -Public to PrivateHa cluster -Public to Private
Ha cluster -Public to Privatetestslidesha12
 

More from testslidesha12 (8)

Ha cluster -Public to Private
Ha cluster -Public to PrivateHa cluster -Public to Private
Ha cluster -Public to Private
 
&lt;img src="xx">
&lt;img src="xx">&lt;img src="xx">
&lt;img src="xx">
 
One pagepdf
One pagepdfOne pagepdf
One pagepdf
 
One pagepdf
One pagepdfOne pagepdf
One pagepdf
 
One pagepdf
One pagepdfOne pagepdf
One pagepdf
 
One pagepdf
One pagepdfOne pagepdf
One pagepdf
 
One pagepdf
One pagepdfOne pagepdf
One pagepdf
 
&lt;img src="xx">
&lt;img src="xx">&lt;img src="xx">
&lt;img src="xx">
 

Unifi securitybugs sep2013

  • 1. Security bugs discovered in Ubiquiti Unifi Controller Affected Component: Testing was performed on v3.1.4 (Linux). Stable versions and other platforms may be affected as well. Credits: Luca Carettoni #1 Insecure Java Random() to generate secret tokens - HIGH RISK java.util.Random is used across the entire codebase to generate secret tokens, such as session cookies, AP auth keys and reset tokens. This class is not suitable for strong random strings generation. Under some circumstances, it seems practical to predict the reset password token and compromise the admin account, which would lead to full compromise of the entire platform. In the Java version shipped with the Unifi controller, Random() depends on the time in nanosecond and a static seed. 77 public Random() { this(++seedUniquifier + System.nanoTime()); } 78 private static volatile long seedUniquifier = 8682522807148012L; Considering that a single instance of Random() is used across the Unifi Controller and multiple method invokes nextInt() (thus modifying the seed state), the exploitability of this issue is not trivial. In order to predict a token and compromise the application, an attacker would require: • Admin email • Time nanosecond of com.ubnt.ace.E class loading • Exact sequence of previous usage (e.g. how many reset tokens have been generated) A realistic attack can occur just after a reboot of the controller, as the application would be in a "clean" state. By invoking the recover password request and inspecting the HTTP response Date header, an attacker could predict with good approximation the time of the server Having that information, it is feasible to bruteforce the actual Random seed used by the remote server, using the following pseudocode:
  • 2. As the controller code does not limit the number of verify token requests, it is possible to validate the generated tokens. According to my preliminary testing, the attack is possible although it would require several hours to succeed. Random() must be replaced with SecureRandom(). #2 System-wise Cross Site Request Forgery - HIGH RISK Unifi Controller does not protect the application against Cross-Site-Request-Forgery (CSRF) attacks. Please refer to http://en.wikipedia.org/wiki/Cross-site_request_forgery. For instance, it would be possible to override arbitrary options within system.properties that could eventually lead to full-compromise (e.g. by appending malicious MongoDB parameters). The following is an example of a malicious HTML page that would create the key "CSRF = CSRF". Another malicious abuse consists into forcing a change password using an attacker-controlled value. See bug #3. The application must use anti-CSRF arbitrary tokens to prevent those attacks. This is a standard practice in modern web applications. #3 Change password does not require old password - MEDIUM RISK As mentioned in #2, Unifi Controller does not require the old admin password while changing credentials. This is an insecure design that can be easily abused by malicious users. Any session hijacking vulnerability or CSRF could result in full compromise.
  • 3. #4 Frameable response (ClickJacking) - MEDIUM RISK It might be possible for a web page controlled by an attacker to load the content Unifi web controller within an iframe on the attacker's page. This may enable a "clickjacking" attack (https://www.owasp.org/index.php/Clickjacking), in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions. To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself. #5 Credentials are saved in plain-text within MongoDB - MEDIUM RISK Administration credentials are stored in plain-text (within ace, db.admin.find()) and displayed in clear-text within the Unifi Controller web interface. From the security standpoint, this is a bad practice; many types of vulnerability, such as weaknesses in session handling, broken access controls, and cross-site scripting, would enable an attacker to leverage this behavior to retrieve the passwords of other application users. Considering that the same credential is used by all APs SSH, this departure from best practice allows to compromise the entire platform. #6 Multiple Cross-Site Scripting vulnerabilities (Stored and Reflected) in /api/, abusing Internet Explorer content sniffing - LOW RISK Multiple /api/ endpoints allow to inject arbitrary HTML tags, as illustrated in the example below • /api/s/default/get/setting • /api/s/default/set/setting/connectivity • /api/s/default/set/setting/country • /api/s/default/set/setting/guest_access • /api/s/default/set/setting/mgmt • /api/s/default/set/setting/rsyslogd • /api/s/default/set/setting/snmp
  • 4. • /api/s/test/set/setting/guest_access The user-supplied <a> tag is included within the response body; This behavior demonstrates that it is possible to inject new HTML tags into the returned document. This behavior can be abused by an attacker to perform Cross-Site Scripting against Internet Explorer users. JSON responses use the content-type application/json; the problem is that the default mime type list of Internet Explorer does not include that mime-type, thus it is possible to force the browser to sniff the content and display the page as HTML. For all technical details, please refer to http://blog.watchfire.com/wfblog/2011/10/json-based-xss- exploitation.html The author covers in great detail a possible technique. To prevent Content-Type sniffing in Internet Explorer and mitigate this attack, the application must include the following HTTP header in all HTTP responses: X-Content-Type-Options: nosniff Please refer to http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx