EyeLock nano NXT 3.5 Local File Disclosure Vulnerability

2016-08-10T00:00:00
ID ZSL-2016-5356
Type zeroscience
Reporter Gjoko Krstic
Modified 2016-08-10T00:00:00

Description

Title: EyeLock nano NXT 3.5 Local File Disclosure Vulnerability
Advisory ID: ZSL-2016-5356
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 10.08.2016

Summary

Nano NXT is the most advanced compact iris-based identity authentication device in Eyelock's comprehensive suite of end-to-end identity authentication solutions. Nano NXT is a miniaturized iris-based recognition system capable of providing real-time identification, both in-motion and at a distance. The Nano NXT is an ideal replacement for card-based systems, and seamlessly controls access to turnstiles, secured entrances, server rooms and any other physical space. Similarly the device is powerful and compact enough to secure high-value transactions, critical databases, network workstations or any other information system.

Description

nano NXT suffers from a file disclosure vulnerability when input passed thru the 'path' parameter to 'logdownload.php' script is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources.

--------------------------------------------------------------------------------

` /scripts/logdownload.php:

1: <?php
2: header("Content-Type: application/octet-stream");
3: header("Content-Disposition: attachment; filename={$_GET['dlfilename']}");
4: readfile($_GET['path']);
5: ?>
`
--------------------------------------------------------------------------------

Vendor

EyeLock, LLC - <http://www.eyelock.com>

Affected Version

NXT Firmware: 3.05.1193 (ICM: 3.5.1)
NXT Firmware: 3.04.1108 (ICM: 3.4.13)
NXT Firmware: 3.03.944 (ICM: 3.3.2)
NXT Firmware: 3.01.646 (ICM: 3.1.13)

Tested On

GNU/Linux (armv7l)
lighttpd/1.4.35
SQLite/3.8.7.2
PHP/5.6.6

Vendor Status

[10.06.2016] Vulnerability discovered.
[27.06.2016] Contact with the vendor.
[09.07.2016] No response from the vendor.
[10.08.2016] Public security advisory released.
[11.08.2016] Vendor responds confirming the issues scheduling patch release.
[15.08.2016] Vendor releases NXT Firmware: 3.06.1260 (ICM: 3.5.1) to address these issues.

PoC

eyelock_lfd.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://www.exploit-db.com/exploits/40227/>
[2] <https://exchange.xforce.ibmcloud.com/vulnerabilities/115920>
[3] <https://cxsecurity.com/issue/WLB-2016080100>
[4] <https://packetstormsecurity.com/files/138274>
[5] <http://www.eyelock.com/index.php/nxt-downloads>

Changelog

[10.08.2016] - Initial release
[13.08.2016] - Added reference [1], [2], [3] and [4]
[17.08.2016] - Added vendor status and reference [5]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;