Directory Traversal – Arbitrary File Read in Homematic CCU3 (CVE-2019-9726)

Overview

Vendor: eQ-3 AG

Product: Homematic CCU3

Version: 3.43.15

Vulnerability: Arbitrary File Read

Background

HomeMatic is a home automation system consisting of various components for automating several parts of a building, including different sensors and actuators. The HomeMatic CCU3 is a central control unit, which is responsible for integrating these components with each other.

From the vendor’s website: “The Central Control Unit CCU3 is the central element for local control of the Homematic IP smart home system. It represents the next generation of our proven Homematic Central Control Units CCU1 and CCU2. Operation via the Central Control Unit CCU3 can be used alternatively to the Homematic IP Access Point. While the Access Point establishes the connection to the free Homematic IP cloud and enables operation of the smart home system via a smartphone app, the Central Control Unit CCU3 works locally via a browser-based web interface (WebUI). Thanks to local configuration and operation as well as the option to create direct device connections, reliable and fail-proof operation of the smart home system is guaranteed at all times – even in the event of Internet failures.”

Issue Description

While analyzing the implementation of the CCU3’s web interface, a Directory Traversal vulnerabilities has been identified, which can be exploited in order to read files from the CCU3’s filesystem. This vulnerability can be exploited by unauthenticated attackers with access to the web interface. The vulnerability exist because of erroneous handling of Nullbytes. The following URLs are proofed to be vulnerable:

  • http://1.1.1.1/.%00./.%00./tmp/event/subscriber.list
  • http://1.1.1.1/.%00./.%00./etc/shadow

The following HTTP request illustrates the attack:

Response of the Homematic CCU3:

CVE

CVE-2019-9726

CVSSv3 Base Score

CVSS Base Score: 7.5

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Erklärung

Penetration Testing ermöglicht das Erkennen von operativen Risiken und liefert nützliche Entscheidungskriterien für die Auswahl effektiver sowie effizienter Schutzmaßnahmen. Es stellt also einen wesentlichen Baustein eines funktionsfähigen Sicherheitsprozesses dar und identifiziert, wie oben gezeigt, unbekannte und bekannte Schwachstellen und zeigt darüber hinaus, inwieweit die IT-Infrastruktur den Compliance-Vorgaben entspricht. Folglich lässt sich die Sicherheit der IT-Systeme und Applikationen erhähen und durch einen externen Dritten bestätigen.

Co-Autor

Pascal Keul