EyeLock nano NXT 3.5 Local File Disclosure Vulnerability

Title: EyeLock nano NXT 3.5 Local File Disclosure Vulnerability
Advisory ID: ZSL-2016-5356
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 10.08.2016
Summary
Nano NXT is the most advanced compact iris-based identity authentication device in Eyelock's comprehensive suite of end-to-end identity authentication solutions. Nano NXT is a miniaturized iris-based recognition system capable of providing real-time identification, both in-motion and at a distance. The Nano NXT is an ideal replacement for card-based systems, and seamlessly controls access to turnstiles, secured entrances, server rooms and any other physical space. Similarly the device is powerful and compact enough to secure high-value transactions, critical databases, network workstations or any other information system.
Description
nano NXT suffers from a file disclosure vulnerability when input passed thru the 'path' parameter to 'logdownload.php' script is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources.

--------------------------------------------------------------------------------

/scripts/logdownload.php:
------------------------

1: <?php
2: header("Content-Type: application/octet-stream");
3: header("Content-Disposition: attachment; filename={$_GET['dlfilename']}");
4: readfile($_GET['path']);
5: ?>

--------------------------------------------------------------------------------

Vendor
EyeLock, LLC - http://www.eyelock.com
Affected Version
NXT Firmware: 3.05.1193 (ICM: 3.5.1)
NXT Firmware: 3.04.1108 (ICM: 3.4.13)
NXT Firmware: 3.03.944 (ICM: 3.3.2)
NXT Firmware: 3.01.646 (ICM: 3.1.13)
Tested On
GNU/Linux (armv7l)
lighttpd/1.4.35
SQLite/3.8.7.2
PHP/5.6.6
Vendor Status
[10.06.2016] Vulnerability discovered.
[27.06.2016] Contact with the vendor.
[09.07.2016] No response from the vendor.
[10.08.2016] Public security advisory released.
[11.08.2016] Vendor responds confirming the issues scheduling patch release.
[15.08.2016] Vendor releases NXT Firmware: 3.06.1260 (ICM: 3.5.1) to address these issues.
PoC
eyelock_lfd.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/40227/
[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/115920
[3] https://cxsecurity.com/issue/WLB-2016080100
[4] https://packetstormsecurity.com/files/138274
[5] http://www.eyelock.com/index.php/nxt-downloads
Changelog
[10.08.2016] - Initial release
[13.08.2016] - Added reference [1], [2], [3] and [4]
[17.08.2016] - Added vendor status and reference [5]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk