Zero Science Lab

A misconfiguration in the sudoers file permits passwordless execution of specific Bash shell scripts via sudo, exposing a critical privilege escalation vulnerability. When such scripts are writable by a web-facing user (www-data) or accessible through a command injection vector, an attacker can overwrite or replace them with malicious payloads. Upon execution with sudo, these scripts run with elevated privileges, allowing the attacker to gain full root access remotely.

The application constructs a shell command using unsanitized user input passed to the system() function, calling an external binary for authentication. Due to improper input handling and reliance on the binary's return value for access control, an attacker can inject special characters, such as a double quote (") to manipulate command parsing and induce execution failure. Since the application interprets any non-zero exit code from the binary as successful authentication, this flaw allows remote users to bypass authentication entirely without providing valid credentials.

The EVE X1 server suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'passwd' HTTP POST parameter in /ajax/php/login.php script.

The EVE X1 server suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'passwd' HTTP POST parameter in /ajax/php/login.php script.

The controller suffers from an unauthenticated file disclosure vulnerability. Using the 'db_log' POST parameter, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.

A buffer overflow vulnerability exists in the mstp.ko kernel module, responsible for processing BACnet MS/TP frames over serial (RS485). The SendFrame() function writes directly into a statically sized kernel buffer (alloc_entry(0x1f5)) without validating the length of attacker-controlled data (param_5). If an MS/TP frame contains a crafted payload exceeding 492 bytes, the function performs out-of-bounds writes beyond the allocated 501-byte buffer, corrupting kernel memory. This flaw allows local or physically connected attackers to trigger denial-of-service or achieve remote code execution in kernel space. Tested against version 3.08.03 with a custom BACnet frame over /dev/ttyS0.

ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the AuthenticatedHttpServlet within its application server, enabling remote attackers to bypass authentication by setting the Host: 127.0.0.1 header. This deceives the server into processing requests as if they originate from localhost, granting unauthorized access to privileged operations. This bypass grants access to privileged functionality, including the DeplomentServlet, which is vulnerable to directory traversal. By leveraging this, an attacker can write arbitrary PHP files outside the intended directory scope. When combined, these issues allow remote attackers to upload a malicious PHP shell and execute system commands with the privileges of the web server, leading to full system compromise.

ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the AuthenticatedHttpServlet within its application server, enabling remote attackers to bypass authentication by setting the Host: 127.0.0.1 header. This deceives the server into processing requests as if they originate from localhost, granting unauthorized access to privileged operations. This bypass grants access to privileged functionality, including the HTTPDownloadServlet, which is vulnerable to directory traversal. By leveraging this, an attacker can write arbitrary PHP files outside the intended directory scope. When combined, these issues allow remote attackers to upload a malicious PHP shell and execute system commands with the privileges of the web server, leading to full system compromise.

ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the AuthenticatedHttpServlet within its application server, enabling remote attackers to bypass authentication by setting the Host: 127.0.0.1 header. This deceives the server into processing requests as if they originate from localhost, granting unauthorized access to privileged operations. Specifically, this vulnerability impacts the UserManager and GroupManager servlets, allowing unauthenticated attackers to create and remove users and groups without credentials. The flaw stems from the servlet’s automatic authorization of localhost requests as the aamuser account, exposing these sensitive functions to both local and remote exploitation. By leveraging this bypass, attackers can manipulate user and group configurations, potentially escalating privileges or disrupting system access controls.

The ABB BMS/BAS controller suffers from an authenticated blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'instance' HTTP POST parameter called by the logMixDownload.php script and dependant on SELECTED=ALL case.