Stored XSS in UniFi v4.8.12 Controller

I’m writing about a stored XSS which I found on Unifi controller v4.8.12

Description:The XSS happen in the admin page of Unifi controller v4.8.12 (Stand Alone or CloudKey). In this exploit it was possible to inject HTML and Javascript content in the admin page. The attack required the attacker to have valid credentials, so this exploit will work just from one admin to another

I was checking unifi website for some possible bugs but was not able to find anything good there then i started playing with unifi controller and some Ubiquiti device which i got from ubnt to test.

I started looking for xss on controller but nothing found!! 🙁

I decided to search further, the devices DB. Then i plugged in Unifi AP AC Lite device, I found that the controller don’t filter the devices name for HTML special characters.

POC:Step 1: Download Unifi v4.8.12 Controller (any OS should work)Step 2: Open UniFi Controller then it will take some second to start.Step 3: Now setup your server by providing admin name, password etc.Step 4: Plug your Unifi AP AC Lite device (any Unifi equipment should work).Step 5: Change your device name to xss payload in my case i’m using "><img src=x onerror=prompt(1)>Step 6: Go to Statistics and boom xss will prompt.Step 7: $$$ Profit!!!

I’ve attached screen shot of the same.

There isn’t any filter applied to the user input, so this exploit could be used widely.

Possible exploitation:

There isn’t any direct attack that could be used in this exploit, because the attacker need to be admin, otherwise he would be unable to change the devices names. However the attacker (a admin) could use this to exploit on other admin.

One possible use is to steal other admin password, once the password is hashed in the database, he could use the password captured in the XSS attack (maybe using prompt or fake login page) and try some others services, if the victim re-utilizes passwords (what you shouldn’t) he can exploit other services.

Special Thanks To: @93c08539

Best Regard Shubham