SethSec

This CVE covers a vulnerability found in the Ubiquiti Networks AirVision application.  For more background on this particular vulnerability, check out this post: Exploiting misconfigured crossdomain.xml files In fact, I wrote that first crossdomain.xml blog post after finding this AirVision vulnerability back in February.  If you already read that post, you should recognize the vulnerable form I use for the POC here (adding an administrator), is the same one I used earlier. Here is a cleaned up version of what I sent to Ubiquiti back in February: AirVision Controller v2.1.3 - Overly Permissive default crossdomain.xml CWE-264: http://cwe.mitre.org/data/definitions/264.html Misuse Case If the victim user is authenticated with their AirVision Controller, and they visit a malicious site, the owner of the malicious site can make changes to, and read data from, the AirVision Controller. The malicious site can even add a new administrative user accou...

In my previous two posts, I explain the overly permissive crossdomain.xml vulnerability, show you how to create malicious SWF files from scratch, and show you how to use the malicious SWFs to exploit the vulnerability. As we all know, sometimes the best way to wrap your head around a vulnerability is to see it being exploited.  Rather than continuing to talk about the vulnerability in theoretical terms, I can now start to share some specific examples. Microsoft has closed out my MSRC case, so I can share how I was able to exploit the crossdomain.xml file at www.bing.com, and land on their Security Researcher Acknowledgements for Microsoft Online Services page (a first for me). Misuse Case - Gaining access to a Bing.com user's saved search history If the victim user is authenticated with any live.com linked account (msn, outlook, etc), and they visit a malicious site, the owner of the malicious site can retrieve the victim user’s entire search history, including the s...

An overly permissive crossdomain.xml file on a domain that serves sensitive content is a major security risk. It exposes the domain hosting the improperly configured crossomain.xml file to information disclosure and request forgery. Attackers cannot only forge requests, they can read responses. This means the attacker can retrieve any information the authenticated user has access to, including account information, documents and files, and anti-CSRF tokens if they are used. History This is an old vulnerability. How old? 8 years old. Here is very rough outline of prior research/public discussion: 2006: Chris Shiflett , Julien Couvreur , and Jeremiah Grossman started talking about this publicly. 2008: Jeremiah Grossman revisited the issue. 2010:   Erlend Ofede l wrote about it, and   Mike Bailey gave talk at Blackhat DC. 2011:  Teams from FORTH-ICS , SAP Research , and UC San Diego all released research directly related to crossdomain.xml and the se...