Dancing in the IoT: CHIYU devices vulnerable to remote attack and could be used as an initial foothold to access internal networks.

Vulnerabilities in Internet of Things devices (IoT) allow cybercriminals to get access and take control of them remotely in attacks that can be exploited to gain access to the internal networks. In this article, we are going to learn about seven vulnerabilities impacting a large range of CHIYU devices available via the Internet and also used in internal environments to access control.

Figure 1: Vulnerable devices available on the Internet (ZoomEye).

 

Overview

Nowadays, the variety of functions of smart devices are clear improving different industries and environments. These kinds of devices benefit homes, factories, and cities, but due to their nature, a large number of flaws can be introduced with security risks associated.

In this article, we will explain seven vulnerabilities found by analyzing CHYUI IoT devices in a controlled laboratory. A vulnerability tracked as CVE-2021-31251 a vulnerability on the telnet protocol can be explored to get a remote privileged session, which can be abused to take control of the device and used as an initial entry point to access the internal network. Figure 2 shows the global distribution of the devices by country.

Figure 2: Global distribution of vulnerable devices (4622) according to ZoomEye.

 

As observed, many of the Internet-faced devices are available in China (2046), Singapore – 383, and Argentina with 376. It’s also expected that a huge number of devices are available on internal networks, so the update of those devices should also be addressed by IT administrators as soon as possible.

From the devices available in our laboratory, we found that the following are vulnerable to these flaws, namely:

    • BF-430, BF-431, BF-450M: TCP / IP Converter Module / Ethernet Converter.
    • BF-630: Web-Based Single Door Fingerprint Controller.
    • BF631-W: Fingerprint Access Control Device.
    • BF830-W: Proximity Access Control and Time & Attendance Terminal.
    • SEMAC: Door Access Control Panel.
    • Webpass: RFID Access Controller.
    • BF-MINI-W: RFID Single Door Access Controller Reader.
    • BIOSENSE (Biosense II, Biosense III, Biosense III-T): Fingerprint Standalone Controller.

 

Figure 3: Web dashboards of vulnerable CHIYU IoT devices.

 

The devices enumerated above are vulnerable to a set of vulnerabilities depicted below, including the critical authentication bypass tracked as CVE-2021-31251. Nex image shows the output of the exploit created to bypass the telnet authentication and execute commands remotely.

Figure 4: Proof-of-Concept of CVE-2021-31251 – telnet authentication bypass vulnerability.

 

The list of CVEs impacting CHIYU devices is presented below:

CVETypeDegreeDescription
CVE-2021-31249CRLF injectionMedium A CRLF injection vulnerability was found on BF-430, BF-431, and BF-450M  TCP/IP Converter devices from CHIYU Technology Inc due to a lack of validation on the parameter redirect= available on multiple CGI components.
CVE-2021-31250XSSMediumMultiple storage XSS vulnerabilities were discovered on BF-430, BF-431, and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of sanitization of the input on the components man.cgi, if.cgi, dhcpc.cgi, and ppp.cgi.
CVE-2021-31251Authentication BypassCriticalSeveral IoT devices from the CHIYU Technology firm are vulnerable to a flaw that permits bypassing the telnet authentication process due to an overflow during the negotiation of the telnet protocol. Telnet authentication is bypassed by supplying a specially malformed request, and an attacker may force the remote telnet server to believe that the user has already authenticated. Several models are vulnerable, including BF-430, BF-431, BF-450M, and SEMAC with the most recent firmware versions.
CVE-2021-31252Open RedirectMediumAn open redirect vulnerability exists in BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, and SEMAC devices from CHIYU Technology that can be exploited by sending a link that has a specially crafted URL to convince the user to click on it.
CVE-2021-31641XSSMediumAn unauthenticated XSS vulnerability exists in several IoT devices from CHIYU Technology, including BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC. The vulnerability was observed also on more recent firmware versions.
CVE-2021-31642Integer overflowMediumA denial of service condition exists after an integer overflow in several IoT devices from CHIYU Technology, including Biosense, Webpass, BF-630, BF-631, and SEMAC. The vulnerability can be explored by sending an unexpected integer (> 32 bits) on the page parameter that will crash the web portal and making it unavailable until a reboot of the device.
CVE-2021-31643XSSMediumA storage XSS flaw was discovered on SEMAC, Biosense, BF-630, BF-631, and Webpass IoT devices from CHIYU Technology Inc due to a lack of sanitization of the input on the component if.cgiusername parameter.

 

 

CVE-2021-31249


Title: CRLF injection in CHIYU BF-430, BF-431, and BF-450M TCP/IP Converter devices
Vulnerability: CRLF injection
CVE ID: CVE-2021-31249
CVSS: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N


A CRLF injection vulnerability was found on BF-430, BF-431, and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of validation on the parameter redirect=  available on multiple CGI components.

Affected parameter: redirect=
Component:
all the CGI components
Payload: %0d%0a%0d%0a<script>alert(document.domain)</script>

HTTP request and response

More details and exploit:
https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31249
https://www.exploit-db.com/exploits/49923


Impact:
The impact of CRLF injections vary and also includes all the impacts of Cross-site Scripting to information disclosure.

Mitigation: The latest version of the CHIYU firmware should be installed to mitigate this vulnerability.

 

CVE-2021-31250


Title: Multiple stored XSS in CHIYU BF-430, BF-431, and BF-450M IP converter devices
Vulnerability: Stored XSS
CVE ID: CVE-2021-31250
CVSS: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N


Multiple storage XSS vulnerabilities were discovered on BF-430, BF-431 and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of sanitization of the input on the components man.cgi, if.cgi, dhcpc.cgi, ppp.cgi.

To exploit this vulnerability, an attacker can inject a specially crafted XSS payload on several CGI components to obtain sensitive information from the end-user such as session cookies, or redirect it to a malicious web page.

 

Proof-of-Concept: 01

Affected parameter: TF_submask
Component: if.cgi
Payload: "><script>alert(123)</script>

HTTP request: 

HTTP response:

 

Proof-of-Concept: 02

Affected parameter: TF_hostname=
Component: dhcpc.cgi
Payload: /"><img src="#">

HTTP request and response:

 

Proof-of-Concept: 03

Affected parameter: TF_servicename=
Component: ppp.cgi
Payload: "><script>alert(123)</script>

HTTP request:

HTTP response:

 

Proof-of-Concept: 04

Affected parameter: TF_port=
Component: man.cgi
Payload: /"><img src="#">

HTTP request:

HTTP response:

 

More details and exploit:
https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250
https://www.exploit-db.com/exploits/49922


Impact: 
The attacker places their exploit into the application itself and simply waits for users to encounter it.

Mitigation: The latest version of the CHIYU firmware should be installed to mitigate this vulnerability.

 

CVE-2021-31251


Title: Telnet auth bypass in CHIYU IoT devices allowing to obtain administrative privileges
Vulnerability: Authentication bypass
CVE ID: CVE-2021-31251
CVSS: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


Several IoT devices from the CHIYU Technology firm are vulnerable to a flaw that permits bypassing the telnet authentication process due to an overflow during the negotiation of the telnet protocol. Telnet authentication is bypassed by supplying a specially malformed request, and an attacker may force the remote telnet server to believe that the user has already authenticated. Several models are vulnerable, including BF-430, BF-431, BF-450M, and SEMAC with the most recent firmware versions.

We can see in the next image the normal workflow with the authentication banner (left-side), and the exploited scenario with the configuration menu (right-side). In detail, when the telnet tries to negotiate the telnet states with the client-side, it fails – at the 4 TCP request – and the IoT device jumps to the next state and believes that the user has already authenticated.

 

In order to verify if this condition is also present on other devices, a PoC was created and the results can be observed below. On the left side, we can see a lot of devices vulnerable obtained by using the checker, and on the right-side the vulnerability confirmation using the exploit.

Checker in action with multi-thread and CIDR – Pocsuite3:

Exploit in action – Pocsuite3:

 

More details and exploit:
https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31251
https://www.exploit-db.com/exploits/49936
https://www.seebug.org/vuldb/ssvid-99267


Impact
: Accessing remotely any device bypassing telnet authentication protocol.

Mitigation: The latest version of the CHIYU firmware should be installed to mitigate this vulnerability. In this new version, the telnet service was disabled in order to solve this issue.

From vendor website:

Regarding CVE-2021-31251, it explains about the CHIYU serial converts & SEMAC door control panel has a security issue.
Because the telnet is able to connect with the device.

For this reason, CHIYU would like to include below the measures to fix the problem.

From now, all of the shipment has the latest firmware. The firmware will close telnet.

if you want to upgrade your converter's firmware, please contact CHIYU for upgrading. Contact: [email protected]

(source)

 

CVE-2021-31252


Title: Open redirect vulnerability in CHIYU IoT devices
Vulnerability: Open Redirect
CVE ID: CVE-2021-31252
CVSS: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N


An open redirect vulnerability exists in BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, and SEMAC devices from CHIYU Technology that can be exploited by sending a link that has a specially crafted URL to convince the user to click on it.

To exploit this vulnerability, an attacker can inject an arbitrary URL and convince the end-user to click on the link redirecting it to a page with malicious content. All the CGI components are affected by this flaw.

Affected parameter: redirect=
Component:
all the CGI components (if.cgi, man.cgi, etc)
Payload: redirect=http://127.0.0.1/exploit.htm

HTTP request

HTTP response

More details and exploit:
https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31252


Impact:
Open Redirect is due to the improper sanitization of input that can be used to redirect users to external websites.

Mitigation: The latest version of the CHIYU firmware should be installed to mitigate this vulnerability.

 

 

CVE-2021-31641


Title: Unauthenticated XSS in several CHIYU IoT devices
Vulnerability: Reflected XSS
CVE ID: CVE-2021-31641
CVSS: Medium – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N


An unauthenticated XSS vulnerability exists in several IoT devices from CHIYU Technology, including BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC. The vulnerability was observed also on more recent firmware versions.


Component:
any argument passed via URL that results in an HTTP-404
Payload: http://ip/<script>alert(123)</script>

HTTP request

HTTP response

More details and exploit:
https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31641
https://www.exploit-db.com/exploits/49922


Impact:
This vulnerability is due to the improper sanitization of input when the HTTP-404 page is presented and that can be abused to redirect users to external websites.

Mitigation: The latest version of the CHIYU firmware should be installed to mitigate this vulnerability.

 

CVE-2021-31642


Title: Denial of Service in several CHIYU IoT devices affecting the web-portal
Vulnerability: Integer overflow
CVE ID: CVE-2021-31642
CVSS: Medium- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H


A denial of service condition exists after an integer overflow in several IoT devices from CHIYU Technology, including BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC. The vulnerability can be explored by sending an unexpected integer (> 32 bits) on the page parameter that will crash the web portal and making it unavailable until a reboot of the device.

Affected parameter: page=
Component: if.cgi

Payload: if.cgi?redirect=AccLog.htm&failure=fail.htm&type=go_log_page&page=2781000

HTTP request

 

HTTP response

More details and exploit:
https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31642
https://www.exploit-db.com/exploits/49937


After the request, the web portal will be unavailable until a device reboot.

Impact: Device crash and web portal unavailable.

Mitigation: The latest version of the CHIYU firmware should be installed to mitigate this vulnerability.

 

 

CVE-2021-31643


Title: Stored XSS in CHIYU SEMAC, BF-630, BF-631, and Webpass IoT devices
Vulnerability: Stored XSS
CVE ID: CVE-2021-31643
CVSS: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N


A storage XSS flaw was discovered on SEMAC, Biosense, BF-630, BF-631, and Webpass IoT devices from CHIYU Technology Inc due to a lack of sanitization of the input on the component if.cgi – username parameter.

To exploit this vulnerability, an attacker can inject a specially crafted XSS payload on the if.cgi component to obtain sensitive information from the end-user such as session cookies, or redirect it to a malicious web page.

Affected parameter: username=
Component: if.cgi

Payload: "><script>alert(1)</script>

HTTP request

HTTP response – SEMAC Web Ver7.2

HTTP response – BIOSENSE-III-COMBO(M1)(20000)

More details and exploit:
https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31643
https://www.exploit-db.com/exploits/49922

 

Impact:  The attacker places their exploit into the application itself and simply waits for users to encounter it.

Mitigation: The latest version of the CHIYU firmware should be installed to mitigate this vulnerability.

 

Final Thoughts

Part of IoT devices are vulnerable to a wide range of flaws due to the limited computational abilities and hardware limitations. Device vulnerabilities allow cybercriminals to use them as a foothold for their attacks, which reinforces the importance of security from the design phase.

As a general security measure, CHIYU strongly recommends protecting network access to devices with appropriate mechanisms.

Regarding CVE-2021-31251, it explains about the CHIYU serial converts & SEMAC door control panel has a security issue because the telnet is able to connect with the device.

For this reason, CHIYU would like to include below the measures to fix the problem.

https://www.chiyu-tech.com/msg/msg88.html

From now, all of the shipment has the latest firmware. The firmware will close telnet.

 

Timeline

  • April 07, 2021: Vulnerabilities reported to the vendor.
  • April 09, 2021: 2nd email reporting the vulnerabilities.
  • May 19, 2021:  Reporting the vulnerability to the vendor using another channel (3rd time).
  • May 20, 2021: Acknowledge from vendor and next actions to mitigate the flaws.
  • June 1, 2021: Some vulnerabilities fixed and CVE requests submitted.
  • June 4, 2021: All vulnerabilities fixed and advisory published.