ABB Cylon Aspect 3.08.02 (fileSystemUpdate.php) Remote Guest2Root Exploit
Title: ABB Cylon Aspect 3.08.02 (fileSystemUpdate.php) Remote Guest2Root Exploit
Advisory ID: ZSL-2024-5871
Type: Local/Remote
Impact: System Access, DoS, Elevation of Privileges
Risk: (5/5)
Release Date: 08.12.2024
Firmware: <=3.08.02
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
[22.04.2024] Vendor contacted.
[22.04.2024] Vendor responds.
[02.05.2024] Working with the vendor.
[03.12.2024] Vendor releases version 3.08.03 to address this issue.
[08.12.2024] Coordinated public security advisory released.
[2] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch
[3] https://www.cve.org/CVERecord?id=CVE-2024-48839
[4] https://nvd.nist.gov/vuln/detail/CVE-2024-48839
[5] https://packetstorm.news/files/id/183032/
[09.12.2024] - Added reference [5]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2024-5871
Type: Local/Remote
Impact: System Access, DoS, Elevation of Privileges
Risk: (5/5)
Release Date: 08.12.2024
Summary
ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.Description
The ABB BMS/BAS controller is vulnerable to code execution and sudo misconfiguration flaws. An authenticated remote code execution vulnerability in the firmware update mechanism allows an attacker with valid credentials to escalate privileges and execute commands as root. The process involves uploading a crafted .aam file through fileSystemUpdate.php, which is then moved to /tmp and executed by fileSystemUpdateExecute.php. This script leverages sudo to run the upgrade-bundle.sh script, enabling the attacker to bypass input validation checks and execute arbitrary code, leading to full system compromise and unauthorized root access.Vendor
ABB Ltd. - https://www.global.abbAffected Version
NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-StudioFirmware: <=3.08.02
Tested On
GNU/Linux 3.15.10 (armv7l)GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Vendor Status
[21.04.2024] Vulnerability discovered.[22.04.2024] Vendor contacted.
[22.04.2024] Vendor responds.
[02.05.2024] Working with the vendor.
[03.12.2024] Vendor releases version 3.08.03 to address this issue.
[08.12.2024] Coordinated public security advisory released.
PoC
aamroot.pyCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://www.deviantart.com/liquidworm/art/Vulncity-1116917242[2] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch
[3] https://www.cve.org/CVERecord?id=CVE-2024-48839
[4] https://nvd.nist.gov/vuln/detail/CVE-2024-48839
[5] https://packetstorm.news/files/id/183032/
Changelog
[08.12.2024] - Initial release[09.12.2024] - Added reference [5]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
