ABB Cylon Aspect 3.08.01 (pupDumpStats.php) Information Disclosure Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=3.08.01 Summary: ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. The AAM PUP (Primary Utility Protocol) is a proprietary protocol supported by certain building management systems, such as the ABB MATRIX-2 series controllers. It is used for communication and integration with various utility devices within a building's control system. This protocol supports supervisory functions like energy management, alarm and event handling, historical trending, and scheduling. Desc: The ABB Cylon ASPECT system contains an unauthenticated information disclosure vulnerability in the pupDumpStats.php script. When this endpoint is accessed, it triggers the download of a sensitive debug file located at /usr/local/aam/var/pupdbg.dump. This file may contain internal system information, including protocol states, transaction logs, and system mappings. The vulnerability arises from an Insecure Direct Object Reference (IDOR) issue, where the script does not validate or authenticate the requester before allowing access to the debug file. Exploiting this flaw enables an attacker to retrieve sensitive operational data, potentially aiding in further exploitation of the system. Tested on: GNU/Linux 3.15.10 (armv7l) GNU/Linux 3.10.0 (x86_64) GNU/Linux 2.6.32 (x86_64) Intel(R) Atom(TM) Processor E3930 @ 1.30GHz Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz PHP/7.3.11 PHP/5.6.30 PHP/5.4.16 PHP/4.4.8 PHP/5.3.3 AspectFT Automation Application Server lighttpd/1.4.32 lighttpd/1.4.18 Apache/2.2.15 (CentOS) OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5876 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5876.php 21.04.2024 -- $ cat project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl http://192.168.73.31/pupDumpStats.php