Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
- ABB Cylon Aspect 3.07.01 Hard-Coded Credentials[6]
- Authored by LiquidWorm[7] | Site zeroscience.mk[8]
-
ABB Cylon Aspect version 3.07.01 BMS/BAS controller is operating with default and hard-coded credentials contained in install package while exposed to the Internet.
- advisories | CVE-2024-4007[9]
- SHA-256 |
77c571a0aaea9e72f54148bf830ecd55a32afc329d2af950110f41d58c705470 - Download[10] | Favorite[11] | View[12]
Change Mirror[13] Download[14]
ABB Cylon Aspect 3.07.01 (config.inc.php) Hard-coded Credentials in phpMyAdmin
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.07.01
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller is operating with default and hard-coded
credentials contained in install package while exposed to the Internet.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
phpMyAdmin 2.11.9
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Reported by DIVD
Advisory ID: ZSL-2024-5830
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5830.php
CVE ID: CVE-2024-4007
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-4007
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ cat max/var/www/html/phpMyAdmin/config.inc.php | grep control
$cfg['Servers'][$i]['controluser'] = 'root';
$cfg['Servers'][$i]['controlpass'] = 'F@c1liTy';
Follow us on Twitter
Follow us on
Facebook
Subscribe to an RSS
FeedFile Tags
- ActiveX[20] (933)
- Advisory[21] (86,963)
- Arbitrary[22] (17,101)
- BBS[23] (2,859)
- Bypass[24] (1,929)
- CGI[25] (1,047)
- Code Execution[26] (7,919)
- Conference[27] (693)
- Cracker[28] (845)
- CSRF[29] (3,431)
- DoS[30] (25,298)
- Encryption[31] (2,395)
- Exploit[32] (54,315)
- File Inclusion[33] (4,275)
- File Upload[34] (1,021)
- Firewall[35] (822)
- Info Disclosure[36] (2,922)
- Intrusion Detection[37] (919)
- Java[38] (3,156)
- JavaScript[39] (908)
- Kernel[40] (7,308)
- Local[41] (14,861)
- Magazine[42] (587)
- Overflow[43] (13,225)
- Perl[44] (1,435)
- PHP[45] (5,284)
- Proof of Concept[46] (2,413)
- Protocol[47] (3,749)
- Python[48] (1,661)
- Remote[49] (31,909)
- Root[50] (3,672)
- Rootkit[51] (530)
- Ruby[52] (643)
- Scanner[53] (1,658)
- Security Tool[54] (8,050)
- Shell[55] (3,307)
- Shellcode[56] (1,219)
- Sniffer[57] (904)
- Spoof[58] (2,297)
- SQL Injection[59] (16,736)
- TCP[60] (2,463)
- Trojan[61] (690)
- UDP[62] (919)
- Virus[63] (675)
- Vulnerability[64] (33,122)
- Web[65] (10,143)
- Whitepaper[66] (3,785)
- x86[67] (970)
- XSS[68] (18,304)
- Other[69]
File Archives
- September 2024[70]
- August 2024[71]
- July 2024[72]
- June 2024[73]
- May 2024[74]
- April 2024[75]
- March 2024[76]
- February 2024[77]
- January 2024[78]
- December 2023[79]
- November 2023[80]
- October 2023[81]
- Older[82]
Systems
- AIX[83] (430)
- Apple[84] (2,115)
- BSD[85] (378)
- CentOS[86] (61)
- Cisco[87] (1,954)
- Debian[88] (7,125)
- Fedora[89] (1,693)
- FreeBSD[90] (1,247)
- Gentoo[91] (4,592)
- HPUX[92] (881)
- iOS[93] (390)
- iPhone[94] (108)
- IRIX[95] (220)
- Juniper[96] (71)
- Linux[97] (51,340)
- Mac OS X[98] (696)
- Mandriva[99] (3,105)
- NetBSD[100] (256)
- OpenBSD[101] (490)
- RedHat[102] (16,897)
- Slackware[103] (941)
- Solaris[104] (1,615)
- SUSE[105] (1,444)
- Ubuntu[106] (9,876)
- UNIX[107] (9,458)
- UnixWare[108] (188)
- Windows[109] (6,772)
- Other[110]
© 2024 Packet Storm. All rights reserved.
- Services
- Security Services[121]
- Hosting By
- Rokasec[122]
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
