ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote SYSTEM Code Execution
Title: ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote SYSTEM Code Execution
Advisory ID: ZSL-2016-5362
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 30.08.2016
Platform: 3.0.1.0_R_230
Personnel: 1.0.1.0_R_1916
Access: 6.0.1.0_R_1757
Elevator: 2.0.1.0_R_777
Visitor: 2.0.1.0_R_877
Video:2.0.1.0_R_489
Adms: 1.0.1.0_R_197
Microsoft Windows 7 Professional SP1 (EN)
Apache-Coyote/1.1
Apache Tomcat/7.0.56
[27.07.2016] Vendor contacted.
[29.08.2016] No response from the vendor.
[30.08.2016] Public security advisory released.
[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/116484
[3] https://packetstormsecurity.com/files/138567
[4] https://www.exploit-db.com/exploits/40324/
[26.09.2016] - Added reference [1], [2], [3] and [4]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2016-5362
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 30.08.2016
Summary
ZKBioSecurity3.0 is the ultimate "All in One" web based security platform developed by ZKTeco. It contains four integrated modules: access control, video linkage, elevator control and visitor management. With an optimized system architecture designed for high level biometric identification and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced solution for a whole new user experience.Description
The ZKBioSecurity solution suffers from a use of hard-coded credentials. The application comes bundled with a pre-configured apache tomcat server and an exposed 'manager' application that after authenticating with the credentials: username: zkteco, password: zkt123, located in tomcat-users.xml file, it allows malicious WAR archive containing a JSP application to be uploaded, thus giving the attacker the ability to execute arbitrary code with SYSTEM privileges.Vendor
ZKTeco Inc. - http://www.zkteco.comAffected Version
3.0.1.0_R_230Platform: 3.0.1.0_R_230
Personnel: 1.0.1.0_R_1916
Access: 6.0.1.0_R_1757
Elevator: 2.0.1.0_R_777
Visitor: 2.0.1.0_R_877
Video:2.0.1.0_R_489
Adms: 1.0.1.0_R_197
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)Microsoft Windows 7 Professional SP1 (EN)
Apache-Coyote/1.1
Apache Tomcat/7.0.56
Vendor Status
[18.07.2016] Vulnerability discovered.[27.07.2016] Vendor contacted.
[29.08.2016] No response from the vendor.
[30.08.2016] Public security advisory released.
PoC
zkbiosecurity_rce.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://cxsecurity.com/issue/WLB-2016080266[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/116484
[3] https://packetstormsecurity.com/files/138567
[4] https://www.exploit-db.com/exploits/40324/
Changelog
[30.08.2016] - Initial release[26.09.2016] - Added reference [1], [2], [3] and [4]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk