ZKTeco ZKTime.Net 3.0.1.6 Insecure File Permissions

2016-08-30T00:00:00
ID ZSL-2016-5360
Type zeroscience
Reporter Gjoko Krstic
Modified 2016-08-30T00:00:00

Description

Title: ZKTeco ZKTime.Net 3.0.1.6 Insecure File Permissions
Advisory ID: ZSL-2016-5360
Type: Local
Impact: Privilege Escalation
Risk: (2/5)
Release Date: 30.08.2016

Summary

ZKTime.Net V3.0 is a new generation time attendance management software. Meanwhile, it integrates with time attendance and access control system. Some frequently used functions such as attendance reports, device management and employee management can be managed directly on the home page which providing excellent user experience. Owing to the Pay code function, it can generate both time attendance records and corresponding payroll in the software and easy to merge with the most ERP and Payroll software, which can rapidly upgrade your working efficiency. The brand new flat GUI design and humanized structure will make your daily management more pleasant and convenient.

Description

ZKTime.Net suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'C' flag (Change) for 'Everyone' group, making the entire directory 'ZKTimeNet3.0' and its files and sub-dirs world-writable.

Vendor

ZKTeco Inc. - <http://www.zkteco.com>

Affected Version

3.0.1.6
3.0.1.5 (160622)
3.0.1.1 (160216)

Tested On

Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)

Vendor Status

[18.07.2016] Vulnerability discovered.
[27.07.2016] Vendor contacted.
[29.08.2016] No response from the vendor.
[30.08.2016] Public security advisory released.

PoC

zktime_eop.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://cxsecurity.com/issue/WLB-2016080264>
[2] <https://exchange.xforce.ibmcloud.com/vulnerabilities/116487>
[3] <https://packetstormsecurity.com/files/138565>
[4] <https://www.exploit-db.com/exploits/40322/>

Changelog

[30.08.2016] - Initial release
[26.09.2016] - Added reference [1], [2], [3] and [4]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;