跳转到帖子

RaspberryMatic unauthenticated Remote Code Execution vulnerability through HMServer File Upload.

recommended_posts

发布于
  • Members

RaspberryMatic unauthenticated Remote Code Execution vulnerability through HMServer File Upload.

Disclosed
03/16/2024
Created
02/21/2025

Description

RaspberryMatic / OCCU contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple issues within the Java based HMIPServer.jar component. The webui allows for Firmware uploads which can be reached through the URL `/pages/jpages/system/DeviceFirmware/addFirmware`. This allows an unauthenticated attacker to upload a malicious .tgz archive to the server, which will be automatically extracted without any further checks. As this entry can contain ../sequences, it is possible to break out of the predefined temp directory and write files to other locations outside this path. This vulnerability is commonly known as the Zip Slip vulnerability and can be used to overwrite arbitrary files on the main filesystem. It is therefore possible to overwrite the watchdog script with a malicious payload in `/usr/local/addons/mediola/bin/`, which will be executed every five minutes through a cron job where attackers can gain remote code execution as root user, allowing a full system compromise. RaspberryMatic versions <= `3.73.9.20240130` are vulnerable.

Author(s)

Platform

Linux,Unix

Architectures

cmd

Development

  • Source Code
  • History
  • 查看数 704
  • 已创建
  • 最后回复

参与讨论

你可立刻发布并稍后注册。 如果你有帐户,立刻登录发布帖子。
注意:你的帖子需要版主批准后才能看到。

游客
回帖…