ABB Cylon Aspect 3.08.01 (badassMode) File Upload MD5 Checksum Bypass

Title: ABB Cylon Aspect 3.08.01 (badassMode) File Upload MD5 Checksum Bypass
Advisory ID: ZSL-2024-5860
Type: Local/Remote
Impact: Security Bypass, System Access, Manipulation of Data, DoS
Risk: (5/5)
Release Date: 31.10.2024
Summary
ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.
Description
The ABB BMS/BAS system has a vulnerability in caldavInstall.php, caldavInstallAgendav.php, and caldavUpload.php files, where the presence of an EXPERTMODE parameter activates a badassMode feature. This mode allows an unauthenticated attacker to bypass MD5 checksum validation during file uploads. By enabling badassMode and setting the skipChecksum parameter, the system skips integrity verification, allowing attackers to upload or install altered CalDAV zip files without authentication. This vulnerability permits unauthorized file modifications, potentially exposing the system to tampering or malicious uploads.
Vendor
ABB Ltd. - https://www.global.abb
Affected Version
NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.01
Tested On
GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Vendor Status
[21.04.2024] Vulnerability discovered.
[22.04.2024] Vendor contacted.
[22.04.2024] Vendor responds.
[02.05.2024] Working with the vendor.
[07.08.2024] Vendor released version 3.08.02 to address this issue.
[31.10.2024] Public security advisory released.
PoC
abb_aspect_badass1.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/182456/ABB-Cylon-Aspect-3.08.01-File-Upload-MD5-Checksum-Bypass.html
Changelog
[31.10.2024] - Initial release
[02.11.2024] - Added reference [1]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk