0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Ubiquiti Networks EP-R6 / ER-X / ER-X-SFP Cross Site Scripting Vulnerability
======================================================================= title: Cross-Site Scripting (XSS) product: Ubiquiti Networks EP-R6, ER-X, ER-X-SFP vulnerable version: Firmware v1.9.1 fixed version: Firmware v1.9.1.1 CVE number: impact: Medium homepage: https://www.ubnt.com found: 2017-04-04 by: R. Freingruber, T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets." Source: http://ir.ubnt.com/ Business recommendation: ------------------------ SEC Consult recommends not to use this device in production until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: ----------------------------------- 1) Reflected Cross Site Scripting (XSS) in Internet Explorer This vulnerability can be exploited by deactivating or bypassing the integrated XSS-filter of the Internet Explorer. A reflected cross site scripting vulnerability was identified because of an initialization error in "<IP>/files/index/". An attacker can exploit this vulnerability by tricking a victim to visit a malicious website. The attacker is able to hijack the session of the attacked user. If the user is currently not logged in, the injected JavaScript code can start a bruteforce attack (for example, with the default credentials ubnt:ubnt). After a session has been established, the code has full control over the system via the CLI feature which is basically a shell wrapper. By abusing this vulnerability an attacker can open ports on the router or start a reverse shell. Proof of concept: ----------------- 1) Reflected Cross Site Scripting (XSS) in Internet Explorer The following URL can be used as PoC: https://192.168.1.1/files/index/0/aaa<svg><script>alert(1)<br> The characters "=" and "/" are not allowed in this injection. This restriction can be bypassed in Internet Explorer via the use of a SVG and BR tag. Since "/" is not allowed the <script> tag can't be closed and therefore browsers will not execute the supplied code. Moreover, event handlers (e.g. <svg onload=alert(1)>) can't be used because of the "=" restriction. However, Internet Explorer can be tricked to parse the script via the use of the SVG and BR tags. It can be assumed that similar tricks exit for other browsers. Vulnerable / tested versions: ----------------------------- EdgeRouter X SFP - Firmware v1.9.1 Vendor contact timeline: ------------------------ 2017-04-04: Contacting vendor through HackerOne. Vendor sets status to "Triaged". 2017-04-24: Asking for a update. 2017-04-25: Vendor responds that the fix is available in firmware v1.9.1.1. 2017-05-05: Found the update on the website of the vendor. It was available since 2017-04-28. 2017-05-15: Contacted vendor via e-mail and set the publication date to 2017-07-24. 2017-07-24: Public release of security advisory Solution: --------- Upgrade to firmware v1.9.1.1 or later. # 0day.today [2024-09-29] #