Svg XSS in Unifi v5.0.2

This is another finding in Unifi Controller.

Description:

I have found a persistent xss vulnerability on Unifi Controller that allows attackers steal user’s cookies, do csrf attacks against victim account or do phishing attacks. This vulnerability occurs due the page allows svg attachments that contains “xmlns=http://www.w3.org/1999/xhtml”, then the page will render the content of the xml as html , so resulting on a xss vulnerability.

Many of the websites now allow svg files to be uploaded under images category . But did they filtered the content of svg file before placing it on the server ? The answer is ummm…? . To verify this answer what i did is created a svg file with a XSS vector below and started testing the websites that allow images.

Demo:

http://guptashubham.com/poc.svg

Reproduce:

1). While logged on unifi controller go to https://localhost:8443/manage/site/urrhpg78/maps
2). In image upload the poc.svg
3). After click in “Upload File”.
4). After uploaded the file open image.
5). See the xss alert.

Direct link:

Direct link will be something like

https://localhost:8443/file/s/urrhpg78/map/ID

unifi_controller_5-0-2_beta_svg_xss

I found the same bug in some other Applications you can have a look at Jasminder Pal Singh blog. This bug is also affecting demo.ubnt.com

Fix:

A simple fix for this vulnerability is blocking SVG files upload, in case this isn’t possible a good method is interpret the SVG file, don’t allowing the upload if it contains HTML or invalid tags.

Exploit Scenario:
Like in the http://guptashubham.com/stored-xss-in-unifi-v4-8-12-controller this attack would require valid admin credentials, so a this will be viable just to one admin attack another.

Big Thanks to @93c08539 for the bounty 🙂 and helping me alot.

 

Stored XSS in UniFi v4.8.12 Controller

I’m writing about a stored XSS which I found on Unifi controller v4.8.12

Description:
The XSS happen in the admin page of Unifi controller v4.8.12 (Stand Alone or CloudKey). In this exploit it was possible to inject HTML and Javascript content in the admin page. The attack required the attacker to have valid credentials, so this exploit will work just from one admin to another

I was checking unifi website for some possible bugs but was not able to find anything good there then i started playing with unifi controller and some Ubiquiti device which i got from ubnt to test.

I started looking for xss on controller but nothing found!! 🙁

I decided to search further, the devices DB. Then i plugged in Unifi AP AC Lite device, I found that the controller don’t filter the devices name for HTML special characters.

POC:
Step 1: Download Unifi v4.8.12 Controller (any OS should work)
Step 2: Open UniFi Controller then it will take some second to start.
Step 3: Now setup your server by providing admin name, password etc.
Step 4: Plug your Unifi AP AC Lite device (any Unifi equipment should work).
Step 5: Change your device name to xss payload in my case i’m using "><img src=x onerror=prompt(1)>
Step 6: Go to Statistics and boom xss will prompt.
Step 7: $$$ Profit!!!

unifi_v4-8-12_xss_

I’ve attached screen shot of the same.

There isn’t any filter applied to the user input, so this exploit could be used widely.

Possible exploitation:

There isn’t any direct attack that could be used in this exploit, because the attacker need to be admin, otherwise he would be unable to change the devices names. However the attacker (a admin) could use this to exploit on other admin.

One possible use is to steal other admin password, once the password is hashed in the database, he could use the password captured in the XSS attack (maybe using prompt or fake login page) and try some others services, if the victim re-utilizes passwords (what you shouldn’t) he can exploit other services.

Special Thanks To: @93c08539

Best Regard
Shubham

 

Swf XSS (Dom Based Xss)

Hey Folks,

I was working in UBNT for bounty and i found several xss there so i’m sharing one of the cool xss.

In the above code the FlashVar parameter “bridgeName” is passed to the ExternalInterface.call method without filtering. It is possible to pass JavaScript code via the bridgeName parameter that will be executed when the vulnerable function is called (when the page loads).

Proof of Concept :

As proof of concept the following URL will inject the JavaScript code “alert(1)” to illustrate the flaw:

https://store.ubnt.com/skin/adminhtml/default/default/media/editor.swf?bridgeName=1\%22]%29%29;alert%281%29}catch%28e%29{alert%281%29}//

store.ubnt.com xss

Some other path:

Bug is fixed now.

Best Regard
Shubham

 

Xss filter bypass in Yahoo dev.flurry.com

Hi,
I want to share my another finding on Yahoo xss filter bypass which I have reported to them in Dec 2014.
While researching and working on yahoo bug bounties i’ve found some cool xss.

This is not the actual filter bypass I just found a way to enter javascript and run it.

This is tricky one
During research of dev.flurry.com I found that company name is vuln. to xss attack.But unfortunately there is a filter.

You can’t use <,>,;,', you will get error like that New company name is invalid.

But I found a way to bypass this we can’t use <,>,' in creating or editing. but in add company we can do that just go to https://dev.flurry.com/viewProfile.do and click on advanced profile where you can write your payload.

But there is also filter the xss will not trigger. so I tried too many things including eval() but it’s not working after that i’m just checking is there any option where this payload will execute. I found!!

Go to Applications > Alerts

Then xss will trigger.

Step_4

Thanks for reading.

 

XSS on Flickr

Howdy friends,

Today I’m going to show you how I got Flickr XSS Vulnerability. I’ve been spending time lately playing with Flickr.

First as usual I created flickr group with some random words <"lol">
To my bad luck there was filtration.

then i started digging with that and i found a way to execute my javascript.

Steps:

  1. Create a group with a name <img src=x onerror=prompt(1)>"
  2. Add someone to the group
  3. when user will click on leave group xss will prompt.

tumblr_inline_o1hf1h51P71t8my73_250

Note: As i told you there was filtration but when a user try to leave that group filtration does not work and xss get executed.

Flickr.Xss

It was reported to yahoo and then after 10 days i got reply from them “Triaged” , then after some more days they rewarded me by 400$ for this finding :v
And they put my name on their hall of fame page

Yahoo Hall Of Fame

Video Demo:

Thanks To Yahoo Security Team