module
RaspberryMatic unauthenticated Remote Code Execution vulnerability through HMServer File Upload.
| Disclosed | Created |
|---|---|
| Mar 16, 2024 | Feb 21, 2025 |
Disclosed
Mar 16, 2024
Created
Feb 21, 2025
Description
RaspberryMatic / OCCU contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple
issues within the Java based HMIPServer.jar component. The webui allows for Firmware uploads which can be reached
through the URL `/pages/jpages/system/DeviceFirmware/addFirmware`.
This allows an unauthenticated attacker to upload a malicious .tgz archive to the server, which will be
automatically extracted without any further checks. As this entry can contain ../sequences, it is possible to
break out of the predefined temp directory and write files to other locations outside this path.
This vulnerability is commonly known as the Zip Slip vulnerability and can be used to overwrite arbitrary files
on the main filesystem. It is therefore possible to overwrite the watchdog script with a malicious payload in
`/usr/local/addons/mediola/bin/`, which will be executed every five minutes through a cron job where attackers
can gain remote code execution as root user, allowing a full system compromise.
RaspberryMatic versions
issues within the Java based HMIPServer.jar component. The webui allows for Firmware uploads which can be reached
through the URL `/pages/jpages/system/DeviceFirmware/addFirmware`.
This allows an unauthenticated attacker to upload a malicious .tgz archive to the server, which will be
automatically extracted without any further checks. As this entry can contain ../sequences, it is possible to
break out of the predefined temp directory and write files to other locations outside this path.
This vulnerability is commonly known as the Zip Slip vulnerability and can be used to overwrite arbitrary files
on the main filesystem. It is therefore possible to overwrite the watchdog script with a malicious payload in
`/usr/local/addons/mediola/bin/`, which will be executed every five minutes through a cron job where attackers
can gain remote code execution as root user, allowing a full system compromise.
RaspberryMatic versions
Authors
h00die-gr3y h00die.gr3y@gmail.com
h0ng10 https://git.hub/h0ng10
h0ng10 https://git.hub/h0ng10
Platform
Linux,Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.