|
82763 | 82763 | "session_types": false, |
82764 | 82764 | "needs_cleanup": true |
82765 | 82765 | }, |
| 82766 | + "exploit_linux/http/raspberrymatic_unauth_rce_cve_2024_24578": { |
| 82767 | + "name": "RaspberryMatic unauthenticated Remote Code Execution vulnerability through HMServer File Upload.", |
| 82768 | + "fullname": "exploit/linux/http/raspberrymatic_unauth_rce_cve_2024_24578", |
| 82769 | + "aliases": [ |
| 82770 | + |
| 82771 | + ], |
| 82772 | + "rank": 600, |
| 82773 | + "disclosure_date": "2024-03-16", |
| 82774 | + "type": "exploit", |
| 82775 | + "author": [ |
| 82776 | + "h00die-gr3y < [email protected]>", |
| 82777 | + "h0ng10 <https://git.hub/h0ng10>" |
| 82778 | + ], |
| 82779 | + "description": "RaspberryMatic / OCCU contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple\n issues within the Java based HMIPServer.jar component. The webui allows for Firmware uploads which can be reached\n through the URL `/pages/jpages/system/DeviceFirmware/addFirmware`.\n This allows an unauthenticated attacker to upload a malicious .tgz archive to the server, which will be\n automatically extracted without any further checks. As this entry can contain ../sequences, it is possible to\n break out of the predefined temp directory and write files to other locations outside this path.\n\n This vulnerability is commonly known as the Zip Slip vulnerability and can be used to overwrite arbitrary files\n on the main filesystem. It is therefore possible to overwrite the watchdog script with a malicious payload in\n `/usr/local/addons/mediola/bin/`, which will be executed every five minutes through a cron job where attackers\n can gain remote code execution as root user, allowing a full system compromise.\n\n RaspberryMatic versions <= `3.73.9.20240130` are vulnerable.", |
| 82780 | + "references": [ |
| 82781 | + "CVE-2024-24578", |
| 82782 | + "URL-https://attackerkb.com/topics/ywHhBnSObR/cve-2024-24578", |
| 82783 | + "URL-https://github.com/jens-maus/RaspberryMatic/security/advisories/GHSA-q967-q4j8-637h" |
| 82784 | + ], |
| 82785 | + "platform": "Linux,Unix", |
| 82786 | + "arch": "cmd", |
| 82787 | + "rport": 443, |
| 82788 | + "autofilter_ports": [ |
| 82789 | + 80, |
| 82790 | + 8080, |
| 82791 | + 443, |
| 82792 | + 8000, |
| 82793 | + 8888, |
| 82794 | + 8880, |
| 82795 | + 8008, |
| 82796 | + 3000, |
| 82797 | + 8443 |
| 82798 | + ], |
| 82799 | + "autofilter_services": [ |
| 82800 | + "http", |
| 82801 | + "https" |
| 82802 | + ], |
| 82803 | + "targets": [ |
| 82804 | + "Unix/Linux Command" |
| 82805 | + ], |
| 82806 | + "mod_time": "2025-02-07 16:27:01 +0000", |
| 82807 | + "path": "/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb", |
| 82808 | + "is_install_path": true, |
| 82809 | + "ref_name": "linux/http/raspberrymatic_unauth_rce_cve_2024_24578", |
| 82810 | + "check": true, |
| 82811 | + "post_auth": false, |
| 82812 | + "default_credential": false, |
| 82813 | + "notes": { |
| 82814 | + "Stability": [ |
| 82815 | + "crash-safe" |
| 82816 | + ], |
| 82817 | + "Reliability": [ |
| 82818 | + "repeatable-session", |
| 82819 | + "event-dependent" |
| 82820 | + ], |
| 82821 | + "SideEffects": [ |
| 82822 | + "ioc-in-logs", |
| 82823 | + "artifacts-on-disk", |
| 82824 | + "config-changes" |
| 82825 | + ] |
| 82826 | + }, |
| 82827 | + "session_types": false, |
| 82828 | + "needs_cleanup": null |
| 82829 | + }, |
82766 | 82830 | "exploit_linux/http/ray_agent_job_rce": { |
82767 | 82831 | "name": "Ray Agent Job RCE", |
82768 | 82832 | "fullname": "exploit/linux/http/ray_agent_job_rce", |
|
0 commit comments