ZKTeco ZKBioSecurity 3.0 (visLogin.jsp) Local Authorization Bypass

2016.09.01
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

i>>? ZKTeco ZKBioSecurity 3.0 (visLogin.jsp) Local Authorization Bypass Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd Product web page: http://www.zkteco.com Affected version: 3.0.1.0_R_230 Platform: 3.0.1.0_R_230 Personnel: 1.0.1.0_R_1916 Access: 6.0.1.0_R_1757 Elevator: 2.0.1.0_R_777 Visitor: 2.0.1.0_R_877 Video:2.0.1.0_R_489 Adms: 1.0.1.0_R_197 Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security platform developed by ZKTeco. It contains four integrated modules: access control, video linkage, elevator control and visitor management. With an optimized system architecture designed for high level biometric identification and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced solution for a whole new user experience. Desc: The issue exist due to the way visLogin.jsp script processes the login request via the 'EnvironmentUtil.getClientIp(request)' method. It runs a check whether the request is coming from the local machine and sets the ip variable to '127.0.0.1' if equal to 0:0:0:0:0:0:0:1. The ip variable is then used as a username value with the password '123456' to authenticate and disclose sensitive information and/or do unauthorized actions. Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Microsoft Windows 7 Professional SP1 (EN) Apache-Coyote/1.1 Apache Tomcat/7.0.56 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5367 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5367.php 18.07.2016 -- C:\Program Files (x86)\BioSecurity\MainResource\tomcat\webapps\ROOT\visLogin.jsp: --------------------------------------------------------------------------------- 1: <%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> 2: <%@page import="com.zk.common.util.EnvironmentUtil"%> 3: <% 4: String path = request.getContextPath(); 5: String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/"; 6: 7: String ip= EnvironmentUtil.getClientIp(request); 8: if("0:0:0:0:0:0:0:1".equals(ip)) 9: { 10: ip = "127.0.0.1"; 11: } 12: 13: %> 14: <jsp:include page="login.jsp"/> 15: <script type="text/javascript" src="/vis/js/jquery.cookie.js"></script> 16: 17: <script> 18: function autoLogin() 19: { 20: $.cookie('backUrl', "visRegistrationAction!registrationTouch.action?type=touch", { expires: 1 }); 21: $.cookie('customerBackUrl', "visRegistrationAction!registrationTouch.action?type=touch", { expires: 1 }); 22: var ip = "<%=ip%>"; 23: $("#userLoginForm input[name='username']").val(ip); 24: $("#userLoginForm input[name='password']").val("123456"); 25: $('#userLoginForm').submit(); 26: } 27: window.onload=autoLogin; 28: </script> ---------------------------------------------------------------------------------

References:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5367.php


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top