Full Account Takeover on *.unibet.com due to crossdomain.xml and AkamaiPlayer loaderContext WRITEUP 1,5k BOUNTY

The core issue here are two things
The too wide crossdomain.xml located at :
    1. https://payment.unibet.com/crossdomain.xml
    2. https://se.unibet.com/crossdomain.xml
    3. https://www.unibet.com/crossdomain.xml

2 .) 
Issues with not-in-scope subdomains.
As you see, the crossdomain loads in a lot of sites in it, and due to this, all these domains are allowed to make requests as the victim completely without any validation or interaction what so ever. This is bad in itself when having some external sites and really old non-taken-care-of websites (travnet.se and menmo.se are two good example of that), but I wanted to also show that even subdomains of .unibet. can be bad.
In my case, there's a SWF-file located on l.unibet.fr:

This domain is obviously not in your current scope. But it doesn't really matter since it currently allows full control over the domains in scope.

This specific file is an AkamaiPlayer, what's interesting with it, is that it has a parameter you can send to it called akamaiMonitorSWF. This is used for an analytics SWF.

 However, since you can change it, the SWF being loaded gets full access to the current SWF, making it possible to act as the parent SWF. And since the crossdomain.xml on se.unibet.com looks like this:

1. <allow-access-from domain="*.unibet.fr" secure="true"/>
2. <site-control permitted-cross-domain-policies="master-only"/>

We can now fully control the current user with this injection of our own SWF.

I have made a pretty broad and extensive PoC for this, basically fetching out all messages, info about the customer as well as changing the email-address of the current user. This is because I want to show how bad this really is.

My PoC does the following:
Fetches all messages to the current user
Fetches email+phone+sessionId for the current user
Fetches the current address for the user
Changes the email of the current user to frans.rosen+unibet[RANDOMNUMBER]@gmail.com.
There is a rate limit of changing the email, but it's just 30 minutes and the email only needs to be changed once anyway.
You might need to change the se.unibet.com to any other locale you're currently using. You can also change the email differently if you like of course:

Belum ada Komentar untuk "Full Account Takeover on *.unibet.com due to crossdomain.xml and AkamaiPlayer loaderContext WRITEUP 1,5k BOUNTY "

Posting Komentar

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel