Zero Science Lab

A buffer overflow vulnerability exists in the mstp.ko kernel module, responsible for processing BACnet MS/TP frames over serial (RS485). The SendFrame() function writes directly into a statically sized kernel buffer (alloc_entry(0x1f5)) without validating the length of attacker-controlled data (param_5). If an MS/TP frame contains a crafted payload exceeding 492 bytes, the function performs out-of-bounds writes beyond the allocated 501-byte buffer, corrupting kernel memory. This flaw allows local or physically connected attackers to trigger denial-of-service or achieve remote code execution in kernel space. Tested against version 3.08.03 with a custom BACnet frame over /dev/ttyS0.

A buffer overflow vulnerability exists in the mstp.ko kernel module, responsible for processing BACnet MS/TP frames over serial (RS485). The SendFrame() function writes directly into a statically sized kernel buffer (alloc_entry(0x1f5)) without validating the length of attacker-controlled data (param_5). If an MS/TP frame contains a crafted payload exceeding 492 bytes, the function performs out-of-bounds writes beyond the allocated 501-byte buffer, corrupting kernel memory. This flaw allows local or physically connected attackers to trigger denial-of-service or achieve remote code execution in kernel space. Tested against version 3.08.03 with a custom BACnet frame over /dev/ttyS0.

A DLL hijacking vulnerability exists in Aspect-Studio version 3.08.03, where the application attempts to load a library named CylonLicence via System.loadLibrary("CylonLicence") without a full path, falling back to the standard library search order. If an attacker can plant a malicious CylonLicence.dll in a writable directory that is searched before the legitimate library path, this DLL will be loaded and executed with the privileges of the user running the application. This flaw enables arbitrary code execution and can be exploited for privilege escalation or persistence, especially in environments where the application is executed by privileged users.

ABB Cylon Aspect MIX's IPConfigServlet allows unauthenticated network config changes via the Host: 127.0.0.1 bypass, writing to /etc/hosts and config files. Attackers can redirect traffic (e.g. localhost to 1.2.3.4) or disrupt connectivity, amplifying impact with network restarts.

ABB Cylon Aspect MIX's NTPServlet allows NTP config changes via the Host: 127.0.0.1 bypass, writing attacker-controlled hosts to NTPTickers and syncing the system clock. A malicious NTP server can manipulate time, enabling DoS or time-based attacks.

ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the AuthenticatedHttpServlet within its application server, enabling remote attackers to bypass authentication by setting the Host: 127.0.0.1 header. This deceives the server into processing requests as if they originate from localhost, granting unauthorized access to privileged operations. This bypass grants access to privileged functionality, including the HTTPDownloadServlet, which is vulnerable to directory traversal. By leveraging this, an attacker can delete arbitrary PHP files outside the intended directory scope.

Multiple PHP and Java components across the system fail to properly sanitize user-supplied input before including it in application logs. In PHP, files like supervisorProxy.php directly embed values such as $_SERVER['REQUEST_URI'] and raw POST bodies into log messages without filtering, enabling attackers to inject arbitrary log entries using encoded newline characters. Similarly, Java classes using LoggerUtil.logger.* methods concatenate user-controlled strings like usernames and cookie keys into logs without validation. This systemic flaw allows for log forging, manipulating log content to obfuscate activity, insert misleading entries, or facilitate follow-up attacks.

The ABB Cylon Aspect BAS controller allows login using guest:guest, which initiates a web session but restricts access to administrative features by returning an 'Invalid Admin Username and/or Password' message. However, the session is still active and valid within the HMI environment. Despite failed privilege validation in the login flow, direct navigation to /setup.php bypasses authentication and authorization controls entirely. This endpoint serves as the administrative dashboard and allows full configuration access, including the ability to change credentials for the privileged aamuser account. This flaw results in privilege escalation from a limited guest session to full administrative control, compromising the integrity of the system.

The ABB Cylon Aspect BAS controller is vulnerable to an authenticated hybrid path traversal vulnerability in logYumLookup.php due to insufficient validation of the logFile parameter. The script checks for the presence of an expected path (/var/log/yum.log) using strpos(), which can be bypassed by appending directory traversal sequences. This allows an authenticated attacker to read arbitrary files on the system, potentially exposing sensitive configuration files, credentials, or logs. The issue stems from a lack of proper path normalization and strict path validation, enabling attackers to escape the intended directory restriction.

The ABB BMS/BAS controller is vulnerable to code execution and sudo misconfiguration flaws. An authenticated remote code execution vulnerability in the firmware update mechanism allows an attacker with valid credentials to escalate privileges and execute commands as root. The process involves uploading a crafted .bsx file through projectUpdateBSXFileProcess.php, which is then moved to htmlroot and executed by projectUpdateBSXExecute.php. This script leverages sudo to run the uploaded bsx file, enabling the attacker to bypass input validation checks and execute arbitrary code, leading to full system compromise and unauthorized root access.