UBNT Bug Bounty #3 - Persistent Filename Vulnerability

UBNT Bug Bounty #3 - Persistent Filename Vulnerability

The Vulnerability Laboratory Core Research Team discovered an application-side input validation web vulnerability in the official Ubiquiti Networks Community online service web-application.

Ubiquiti Networks is an American technology company started in 2005. Based in San Jose, California they are a manufacturer of wireless products whose primary focus is on under-served and emerging markets. (Copy of the Homepage: http://en.wikipedia.org/wiki/Ubiquiti_Networks )

The vulnerability allows an remote attacker to inject own script code to the application-side of the affected application module. The web vulnerability is located in the `filename` value of the `gallery page album upload` module. Remote attackers are able to inject own files with malicious `filename` value in the `album upload` POST method request to compromise the ubnt web-application. Remote attackers are also able to exploit the filename issue in combination with persistent injected script codes to execute different malicious attack requests.

The attack vector is located on the application-side of the ubnt service and the request method to inject is POST. The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.2. Exploitation of the application-side validation web vulnerability requires no user interaction and only a low privileged web-application user account. Successful exploitation of the security vulnerability results in the ubnt community web-application compromise.

Proof of Concept (PoC):

The vulnerability can be exploited by remote attackers with low privileged application user account and with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...

1. Open link http://community.ubnt.com/t5/media/gallerypage
2. Click add images
3. Upload image with name "><img src="x" onerror=alert(document.cookie)>.png
4. Click selact an album and save
5. Post comment
6. Click selete the comment you will redirect to http://community.ubnt.com/t5/action/confirmationpage
7. Now you will see the alert with the document cookies context!

Reference(s):
http://community.ubnt.com/
http://community.ubnt.com/t5/media/gallerypage
http://community.ubnt.com/t5/action/confirmationpage

PoC Video: http://www.vulnerability-lab.com/get_content.php?id=1468
Advisory: http://www.vulnerability-lab.com/get_content.php?id=1467

Credits & Authors:
Vulnerability Laboratory [Research Team] - Hadji Samir [samir@evolution-sec.com]