Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zeroscienceGjoko KrsticZSL-2016-5367
HistoryAug 31, 2016 - 12:00 a.m.

ZKTeco ZKBioSecurity 3.0 (visLogin.jsp) Local Authorization Bypass

2016-08-3100:00:00
Gjoko Krstic
zeroscience.mk
72

AI Score

6.8

Confidence

Low

JSON

Title: ZKTeco ZKBioSecurity 3.0 (visLogin.jsp) Local Authorization Bypass
Advisory ID: ZSL-2016-5367
Type: Local/Remote
Impact: Security Bypass
Risk: (2/5)
Release Date: 31.08.2016

Summary

ZKBioSecurity3.0 is the ultimate “All in One” web based security platform developed by ZKTeco. It contains four integrated modules: access control, video linkage, elevator control and visitor management. With an optimized system architecture designed for high level biometric identification and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced solution for a whole new user experience.

Description

The issue exist due to the way visLogin.jsp script processes the login request via the ‘EnvironmentUtil.getClientIp(request)’ method. It runs a check whether the request is coming from the local machine and sets the ip variable to ‘127.0.0.1’ if equal to 0:0:0:0:0:0:0:1. The ip variable is then used as a username value with the password ‘123456’ to authenticate and disclose sensitive information and/or do unauthorized actions.

Vendor

ZKTeco Inc. - <http://www.zkteco.com>

Affected Version

3.0.1.0_R_230
Platform: 3.0.1.0_R_230
Personnel: 1.0.1.0_R_1916
Access: 6.0.1.0_R_1757
Elevator: 2.0.1.0_R_777
Visitor: 2.0.1.0_R_877
Video:2.0.1.0_R_489
Adms: 1.0.1.0_R_197

Tested On

Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Apache-Coyote/1.1
Apache Tomcat/7.0.56

Vendor Status

[18.07.2016] Vulnerability discovered.
[27.07.2016] Vendor contacted.
[29.08.2016] No response from the vendor.
[31.08.2016] Public security advisory released.

PoC

zkbiosecurity_local.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <https://cxsecurity.com/issue/WLB-2016090003&gt;
[2] <https://exchange.xforce.ibmcloud.com/vulnerabilities/116488&gt;
[3] <https://packetstormsecurity.com/files/138571&gt;
[4] <https://www.exploit-db.com/exploits/40327/&gt;

Changelog

[31.08.2016] - Initial release
[26.09.2016] - Added reference [1], [2], [3] and [4]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>ZKTeco ZKBioSecurity 3.0 (visLogin.jsp) Local Authorization Bypass


Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.0_R_230
                  Platform: 3.0.1.0_R_230
                  Personnel: 1.0.1.0_R_1916
                  Access: 6.0.1.0_R_1757
                  Elevator: 2.0.1.0_R_777
                  Visitor: 2.0.1.0_R_877
                  Video:2.0.1.0_R_489
                  Adms: 1.0.1.0_R_197

Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
platform developed by ZKTeco. It contains four integrated modules: access
control, video linkage, elevator control and visitor management. With an
optimized system architecture designed for high level biometric identification
and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
solution for a whole new user experience.

Desc: The issue exist due to the way visLogin.jsp script processes the login
request via the 'EnvironmentUtil.getClientIp(request)' method. It runs a check
whether the request is coming from the local machine and sets the ip variable
to '127.0.0.1' if equal to 0:0:0:0:0:0:0:1. The ip variable is then used as a
username value with the password '123456' to authenticate and disclose sensitive
information and/or do unauthorized actions. 

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Microsoft Windows 7 Professional SP1 (EN)
           Apache-Coyote/1.1
           Apache Tomcat/7.0.56


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5367
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5367.php


18.07.2016

--


C:\Program Files (x86)\BioSecurity\MainResource\tomcat\webapps\ROOT\visLogin.jsp:
---------------------------------------------------------------------------------

1:  &lt;%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%&gt;
2:  &lt;%@page import="com.zk.common.util.EnvironmentUtil"%&gt;
3:  &lt;%
4:  String path = request.getContextPath();
5:  String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
6:
7:  String ip= EnvironmentUtil.getClientIp(request);
8:  if("0:0:0:0:0:0:0:1".equals(ip))
9:  {
10:     ip = "127.0.0.1";
11: }
12:
13: %&gt;
14: <jsp:include page="login.jsp"></jsp:include>
15:   <script src="/vis/js/jquery.cookie.js" type="text/javascript"></script>
16:
17:   <script>
18:       function autoLogin()
19:       {
20:                 $.cookie('backUrl', "visRegistrationAction!registrationTouch.action?type=touch", { expires: 1 });
21:                 $.cookie('customerBackUrl', "visRegistrationAction!registrationTouch.action?type=touch", { expires: 1 });
22:         var ip = "<%=ip%>";
23:         $("#userLoginForm input[name='username']").val(ip);
24:         $("#userLoginForm input[name='password']").val("123456");
25:         $('#userLoginForm').submit();
26:       }
27:       window.onload=autoLogin;
28: </script>

---------------------------------------------------------------------------------
</p></body></html>

AI Score

6.8

Confidence

Low

JSON