A small writeup on CVE-2013-3572

Wed 26 February 2014
By momo

Quite a while ago I got to toy around with some ubiquiti UAP Pros, awesome, cheap, performant WiFi Access Points.
As I missed the last train home from my hackerspace I began to toy around, always on the hunt for a little exploit.
Webinterface Exploits(XSS, SQL Injections or what so ever) were easily found, but that's not what I was looking for. Everyone can do that. The goal was to find something nobody has done before. So, as I came across the users tab, I noticed the following:

  • The DHCP hostnames are displayed
  • The DHCP hostnames are hyperlinks
  • The DHCP hostnames are permanently stored in a history

So this is something to work with, the theory is easy:
You set your hostname to arbitrary code which then will be executed by the browser.
This can be easily accomplished using dhcpcd and some little javascript:

dhcpcd -h "<script>alert(1)</script>"

nice and easy[1].
Upon further investigation I found other webinterfaces that were vulnerable[2], and tried my best at exploiting these vulnerabilities. One basic thing you come across are different kind of filters to protect from this kind of vulnerability. Filter evasion is something you'll have to figure out on your own, there are many people out there with way more knowledge than I have.
Some things to make your life a lot easier:

  • Some webinterfaces try to be smart by interpreting every dot-character as a domain-declaration and strip everything behind it, which will make it hard to inject IP-Addresses. In this case use DWORD to obfuscate your IP-Address. All browsers[3] support DWORD, here's a nifty calculator.
  • Webinterfaces often have some weird cacheing, mostly based on your MAC-Address. Make sure to use a MAC-Changer.

[1] This basically is CVE-2013-3572
[2] I'll publish my findings once the responsible disclosure process is complete
[3] at least all that I know of