ZKTime Web Software 2.0 - Improper Access Restrictions Vulnerability
2017-10-20T00:00:00
ID 1337DAY-ID-28827 Type zdt Reporter Arvind V Modified 2017-10-20T00:00:00
Description
Exploit for windows platform in category web applications
Exploit Title: ZKTime Web Software 2.0 - Broken Authentication
CVE-ID: CVE-2017-14680
Vendor Homepage: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html
Vendor of Product: ZKTeco
Affected Product Code: ZKTime Web - 2.0.1.12280
Category: WebApps
Author: Arvind V.
Author Social: @Find_Arvind
------------------------------------------
Product description:
ZKTime Web 2.0 is a cutting edge Web-based Time Attendance software, which
provided a stable communication for devices through GPRS/WAN, hence, users
can access the software anywhere by their Web Browser to remotely manage
hundreds of T&A terminals under complex network condition (WLAN). The
Application has an administrator role and application user role.
Attack Description:
The Application is a time attendance software which allows users to
download their time and attendance data from the application in a PDF
Format. The data includes their employee’s id, user-id, gender,
birth-dates, phone numbers and access-areas. These PDF Files however are
not properly authenticated. If any user get access to the file-download
link, he can go ahead and download these files directly without any
authentication.
Proof of Concept Links:
1) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144237.pdf
<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144237.pdf>
2) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144238.pdf
<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144238.pdf>
3) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144239.pdf
<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144239.pdf>
Impact:
Personal details pertaining to the employees of the company are disclosed
without their permissions. This leads to violation of user privacy.
Moreover the information available can be used to mount further attacks.
References:
http://seclists.org/fulldisclosure/2017/Sep/39
http://seclists.org/bugtraq/2017/Sep/20
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14680
Vulnerability Timeline:
18th August 2017 – Vulnerability Discovered
20th August 2017 – Contacted Vendor – No Response
1st September 2017 – Contacted Vendor again – No Response
18th September 2017 – Vulnerability Disclosed
# 0day.today [2018-02-13] #
{"sourceData": "Exploit Title: ZKTime Web Software 2.0 - Broken Authentication\r\nCVE-ID: CVE-2017-14680\r\nVendor Homepage: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html\r\nVendor of Product: ZKTeco\r\nAffected Product Code: ZKTime Web - 2.0.1.12280\r\nCategory: WebApps\r\nAuthor: Arvind V.\r\nAuthor Social: @Find_Arvind\r\n \r\n------------------------------------------\r\n \r\nProduct description:\r\nZKTime Web 2.0 is a cutting edge Web-based Time Attendance software, which\r\nprovided a stable communication for devices through GPRS/WAN, hence, users\r\ncan access the software anywhere by their Web Browser to remotely manage\r\nhundreds of T&A terminals under complex network condition (WLAN). The\r\nApplication has an administrator role and application user role.\r\n \r\nAttack Description:\r\nThe Application is a time attendance software which allows users to\r\ndownload their time and attendance data from the application in a PDF\r\nFormat. The data includes their employee\u2019s id, user-id, gender,\r\nbirth-dates, phone numbers and access-areas. These PDF Files however are\r\nnot properly authenticated. If any user get access to the file-download\r\nlink, he can go ahead and download these files directly without any\r\nauthentication.\r\n \r\nProof of Concept Links:\r\n \r\n1) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144237.pdf\r\n<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144237.pdf>\r\n2) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144238.pdf\r\n<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144238.pdf>\r\n3) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144239.pdf\r\n<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144239.pdf>\r\n \r\n \r\nImpact:\r\nPersonal details pertaining to the employees of the company are disclosed\r\nwithout their permissions. This leads to violation of user privacy.\r\nMoreover the information available can be used to mount further attacks.\r\n \r\nReferences:\r\nhttp://seclists.org/fulldisclosure/2017/Sep/39\r\nhttp://seclists.org/bugtraq/2017/Sep/20\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14680\r\n \r\n \r\nVulnerability Timeline:\r\n18th August 2017 \u2013 Vulnerability Discovered\r\n20th August 2017 \u2013 Contacted Vendor \u2013 No Response\r\n1st September 2017 \u2013 Contacted Vendor again \u2013 No Response\r\n18th September 2017 \u2013 Vulnerability Disclosed\n\n# 0day.today [2018-02-13] #", "history": [], "description": "Exploit for windows platform in category web applications", "sourceHref": "https://0day.today/exploit/28827", "reporter": "Arvind V", "href": "https://0day.today/exploit/description/28827", "type": "zdt", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "26d2267df01bbd7280bb96cec3d49d7e"}, {"key": "cvss", "hash": "a792e2393dff1e200b885c5245988f6f"}, {"key": "description", "hash": "dd0b730cd1753902134f22f9d03cafae"}, {"key": "href", "hash": "7692008548a399435e957ed89e9f19d6"}, {"key": "modified", "hash": "83d44b109bcc29a381b8bf04589aaedd"}, {"key": "published", "hash": "83d44b109bcc29a381b8bf04589aaedd"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a304411ecb1fd775fca3013f660dcfaf"}, {"key": "sourceData", "hash": "f30bcb6b3f8ea73710736b21bf6039ba"}, {"key": "sourceHref", "hash": "9dcb468f9d08898960b5d8bf7a0f4ea2"}, {"key": "title", "hash": "9ca4b31adaea4cdccc04771d2ccea1bd"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "viewCount": 9, "references": [], "lastseen": "2018-02-14T00:34:52", "published": "2017-10-20T00:00:00", "objectVersion": "1.3", "cvelist": ["CVE-2017-14680"], "id": "1337DAY-ID-28827", "hash": "95ad2ce3f47c98e8852db9e7aef71a50cfb8f3747f426dcd8fe77a742a7bb0bf", "modified": "2017-10-20T00:00:00", "title": "ZKTime Web Software 2.0 - Improper Access Restrictions Vulnerability", "edition": 1, "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "bulletinFamily": "exploit", "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-14680"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:144686"]}, {"type": "exploitdb", "idList": ["EDB-ID:43019"]}], "modified": "2018-02-14T00:34:52"}, "vulnersScore": 7.5}}
{"cve": [{"lastseen": "2017-10-04T10:37:24", "bulletinFamily": "NVD", "description": "ZKTeco ZKTime Web 2.0.1.12280 allows remote attackers to obtain sensitive employee metadata via a direct request for a PDF document.", "modified": "2017-10-03T13:03:17", "published": "2017-09-21T19:29:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14680", "id": "CVE-2017-14680", "title": "CVE-2017-14680", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "exploitdb": [{"lastseen": "2017-10-20T16:30:42", "bulletinFamily": "exploit", "description": "ZKTime Web Software 2.0 - Improper Access Restrictions. CVE-2017-14680. Webapps exploit for Windows platform", "modified": "2017-08-18T00:00:00", "published": "2017-08-18T00:00:00", "id": "EDB-ID:43019", "href": "https://www.exploit-db.com/exploits/43019/", "type": "exploitdb", "title": "ZKTime Web Software 2.0 - Improper Access Restrictions", "sourceData": "Exploit Title: ZKTime Web Software 2.0 - Broken Authentication\r\nCVE-ID: CVE-2017-14680\r\nVendor Homepage: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html\r\nVendor of Product: ZKTeco\r\nAffected Product Code: ZKTime Web - 2.0.1.12280\r\nCategory: WebApps\r\nAuthor: Arvind V.\r\nAuthor Social: @Find_Arvind\r\n\r\n------------------------------------------\r\n\r\nProduct description:\r\nZKTime Web 2.0 is a cutting edge Web-based Time Attendance software, which\r\nprovided a stable communication for devices through GPRS/WAN, hence, users\r\ncan access the software anywhere by their Web Browser to remotely manage\r\nhundreds of T&A terminals under complex network condition (WLAN). The\r\nApplication has an administrator role and application user role.\r\n\r\nAttack Description:\r\nThe Application is a time attendance software which allows users to\r\ndownload their time and attendance data from the application in a PDF\r\nFormat. The data includes their employee\u2019s id, user-id, gender,\r\nbirth-dates, phone numbers and access-areas. These PDF Files however are\r\nnot properly authenticated. If any user get access to the file-download\r\nlink, he can go ahead and download these files directly without any\r\nauthentication.\r\n\r\nProof of Concept Links:\r\n\r\n1) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144237.pdf\r\n<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144237.pdf>\r\n2) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144238.pdf\r\n<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144238.pdf>\r\n3) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144239.pdf\r\n<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144239.pdf>\r\n\r\n\r\nImpact:\r\nPersonal details pertaining to the employees of the company are disclosed\r\nwithout their permissions. This leads to violation of user privacy.\r\nMoreover the information available can be used to mount further attacks.\r\n\r\nReferences:\r\nhttp://seclists.org/fulldisclosure/2017/Sep/39\r\nhttp://seclists.org/bugtraq/2017/Sep/20\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14680\r\n\r\n\r\nVulnerability Timeline:\r\n18th August 2017 \u2013 Vulnerability Discovered\r\n20th August 2017 \u2013 Contacted Vendor \u2013 No Response\r\n1st September 2017 \u2013 Contacted Vendor again \u2013 No Response\r\n18th September 2017 \u2013 Vulnerability Disclosed\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/43019/"}], "packetstorm": [{"lastseen": "2017-10-21T06:09:10", "bulletinFamily": "exploit", "description": "", "modified": "2017-10-20T00:00:00", "published": "2017-10-20T00:00:00", "href": "https://packetstormsecurity.com/files/144686/ZKTime-Web-Software-2.0-Insecure-Direct-Object-Reference.html", "id": "PACKETSTORM:144686", "title": "ZKTime Web Software 2.0 Insecure Direct Object Reference", "type": "packetstorm", "sourceData": "`Exploit Title: ZKTime Web Software 2.0 - Broken Authentication \nCVE-ID: CVE-2017-14680 \nVendor Homepage: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html \nVendor of Product: ZKTeco \nAffected Product Code: ZKTime Web - 2.0.1.12280 \nCategory: WebApps \nAuthor: Arvind V. \nAuthor Social: @Find_Arvind \n \n------------------------------------------ \n \nProduct description: \nZKTime Web 2.0 is a cutting edge Web-based Time Attendance software, which \nprovided a stable communication for devices through GPRS/WAN, hence, users \ncan access the software anywhere by their Web Browser to remotely manage \nhundreds of T&A terminals under complex network condition (WLAN). The \nApplication has an administrator role and application user role. \n \nAttack Description: \nThe Application is a time attendance software which allows users to \ndownload their time and attendance data from the application in a PDF \nFormat. The data includes their employeeas id, user-id, gender, \nbirth-dates, phone numbers and access-areas. These PDF Files however are \nnot properly authenticated. If any user get access to the file-download \nlink, he can go ahead and download these files directly without any \nauthentication. \n \nProof of Concept Links: \n \n1) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144237.pdf \n<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144237.pdf> \n2) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144238.pdf \n<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144238.pdf> \n3) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144239.pdf \n<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144239.pdf> \n \n \nImpact: \nPersonal details pertaining to the employees of the company are disclosed \nwithout their permissions. This leads to violation of user privacy. \nMoreover the information available can be used to mount further attacks. \n \nReferences: \nhttp://seclists.org/fulldisclosure/2017/Sep/39 \nhttp://seclists.org/bugtraq/2017/Sep/20 \nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14680 \n \n \nVulnerability Timeline: \n18th August 2017 a Vulnerability Discovered \n20th August 2017 a Contacted Vendor a No Response \n1st September 2017 a Contacted Vendor again a No Response \n18th September 2017 a Vulnerability Disclosed \n \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/144686/zktimews20-insecure.txt"}]}
