Zero Science Lab

ABB Cylon Aspect MIX's NTPServlet allows NTP config changes via the Host: 127.0.0.1 bypass, writing attacker-controlled hosts to NTPTickers and syncing the system clock. A malicious NTP server can manipulate time, enabling DoS or time-based attacks.

ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the AuthenticatedHttpServlet within its application server, enabling remote attackers to bypass authentication by setting the Host: 127.0.0.1 header. This deceives the server into processing requests as if they originate from localhost, granting unauthorized access to privileged operations. This bypass grants access to privileged functionality, including the HTTPDownloadServlet, which is vulnerable to directory traversal. By leveraging this, an attacker can delete arbitrary PHP files outside the intended directory scope.

The ABB BMS/BAS controller suffers from an authenticated blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'instance' HTTP POST parameter called by the productRemovalUpdate.php script. The token (key POST param) needs to be set to 159 to trigger the command execution.

ABB Cylon Aspect MIX's IPConfigServlet allows unauthenticated network config changes via the Host: 127.0.0.1 bypass, writing to /etc/hosts and config files. Attackers can redirect traffic (e.g. localhost to 1.2.3.4) or disrupt connectivity, amplifying impact with network restarts.

ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the AuthenticatedHttpServlet within its application server, enabling remote attackers to bypass authentication by setting the Host: 127.0.0.1 header. This deceives the server into processing requests as if they originate from localhost, granting unauthorized access to privileged operations. This bypass grants access to privileged functionality, including the DeplomentServlet, which is vulnerable to directory traversal. By leveraging this, an attacker can write arbitrary PHP files outside the intended directory scope. When combined, these issues allow remote attackers to upload a malicious PHP shell and execute system commands with the privileges of the web server, leading to full system compromise.

Multiple PHP and Java components across the system fail to properly sanitize user-supplied input before including it in application logs. In PHP, files like supervisorProxy.php directly embed values such as $_SERVER['REQUEST_URI'] and raw POST bodies into log messages without filtering, enabling attackers to inject arbitrary log entries using encoded newline characters. Similarly, Java classes using LoggerUtil.logger.* methods concatenate user-controlled strings like usernames and cookie keys into logs without validation. This systemic flaw allows for log forging, manipulating log content to obfuscate activity, insert misleading entries, or facilitate follow-up attacks.

The ABB BMS/BAS controller is vulnerable to code execution and sudo misconfiguration flaws. An authenticated remote code execution vulnerability in the firmware update mechanism allows an attacker with valid credentials to escalate privileges and execute commands as root. The process involves uploading a crafted .bsx file through projectUpdateBSXFileProcess.php, which is then moved to htmlroot and executed by projectUpdateBSXExecute.php. This script leverages sudo to run the uploaded bsx file, enabling the attacker to bypass input validation checks and execute arbitrary code, leading to full system compromise and unauthorized root access.

The ABB BMS/BAS controller suffers from an authenticated blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'instance' HTTP POST parameter called by the logMixDownload.php script and dependant on SELECTED=ALL case.

The application suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'M' flag (Modify) for 'Authenticated Users' group.

The ABB Cylon FLXeon BACnet controller's /api/uukl.js module implements password verification and update mechanisms using the insecure MD5 hash function alongside weak salt generation via Math.random(). This constitutes a cryptographic vulnerability where password hashes are susceptible to collision and brute-force attacks due to MD5's known weaknesses and the low entropy of the salt. Specifically, in the verify() and change() functions, passwords are hashed using MD5 with predictable, non-cryptographically secure salts, then stored in plaintext-accessible files. This undermines the integrity of the authentication process, enabling attackers with file system access or knowledge of the implementation to precompute hash values or mount dictionary attacks.