ZKTeco ZEM500-510-560-760 / ZEM600-800 / ZEM720 / ZMM Missing Authentication

Advisory: Missing Authentication in ZKTeco ZEM/ZMM Web InterfaceThe ZKTeco time attendance device does not require authentication to use theweb interface, exposing the database of employees and their credentials.Details=======Product: ZKTeco ZEM500-510-560-760, ZEM600-800, ZEM720, ZMMAffected Versions: potentially versions below 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and 15.00 (ZMM200-220-210)Fixed Versions: firmware version 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720), firmware version 15.00 (ZMM200-220-210)Vulnerability Type: Missing AuthenticationSecurity Risk: mediumVendor URL: https://zkteco.eu/company/historyVendor Status: fixed version releasedAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-003Advisory Status: publishedCVE: CVE-2022-42953CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42953Introduction============"Time attendance and workforce management is an integrated set ofprocesses that an institution uses to optimize the productivity of itsemployees on the individual, departmental, and entity-wide levels.ZKTeco has been at the forefront of time attendance solutions for thelast 30 years, integrating advanced biometric technologies withinnovative and versatile terminals." (from company website)More Details============The ZKTeco ZEM/ZMM device allows to store a list of users and their credentialswhich may be used to log into the device to prove the users' attendance. Thesecredentials can either be a PIN, a card for a variety of card readers, or afingerprint. The user list can be managed through the web interface.When opening the web interface, for example on http://192.0.2.1/,the web server of the device sends a Set-Cookie header for a cookie withname and value similar to the following:-----------------------------------------------------------------------Set-Cookie: SessionID=1624553126; path=/;-----------------------------------------------------------------------It was determined that the value of the cookie is roughly the number ofseconds since January 1, 1970. Since the value has a constant offset,that might allow attackers to guess the cookie value. After setting thecookie, the webserver redirects the browser to "/csl/login". The loginform provided at this URL has its form action set to "/csl/check". Ifthe user provides wrong credentials, the web server responds with anerror message. If the user provides correct credentials, the serverresponds with a frameset.In this frameset various options are available, for example a user list.The list contains a link titled "Options" for each user item whichreferences a URL similar to the followinghttp://192.0.2.1/csl/user?did=0&uid=123Additionally, backups of all settings of the device can be downloadedfrom the backup page. The request to do so looks similar to thefollowing:-----------------------------------------------------------------------POST /form/DataApp HTTP/1.1Host: 192.0.2.1User-Agent: Mozilla/5.0Cookie: SessionID=1624553126Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 7Origin: http://192.0.2.1Referer: http://192.0.2.1/form/Device?act=11style=1-----------------------------------------------------------------------When the value "1" is given for the field named "style", the web serverresponds with the file "device.dat" (corresponding to the option "BackupSystem Data" in the web interface), for all other values the serverresponds with the file "data.dat" (corresponding to the option "BackupUser Data" in the web interface). Both files can not only be requestedusing HTTP-POST, but also using HTTP-GET with the following URLs:http://192.0.2.1/form/DataApp?style=1http://192.0.2.1/form/DataApp?style=0Both files are - even though it's not obvious from the filename -compressed tar archives. They can be extracted in the following way:-----------------------------------------------------------------------$ mv data.dat data.tgz$ tar xvzf data.tgzrwxr-xr-x root/root      0 1970-01-01 01:08 mnt/mtdblock/group.datrwxr-xr-x root/root      0 1970-01-01 01:08 mnt/mtdblock/htimezone.datrwxr-xr-x root/root      0 1970-01-01 01:08 mnt/mtdblock/lockgroup.datrwxrwxrwx 500/513    10512 2021-06-23 07:23 mnt/mtdblock/ssruser.datrwxr-xr-x root/root 819896 2021-06-18 07:23 mnt/mtdblock/tempinfo.datrwxrwxrwx 500/513    19456 2005-05-05 07:05 mnt/mtdblock/template.datrw-r--r-- root/root 360448 2021-06-18 07:23 mnt/mtdblock/templatev10.datrwxr-xr-x root/root      0 1970-01-01 01:08 mnt/mtdblock/timezone.datrwxrwxrwx 500/513     1372 2005-05-05 07:25 mnt/mtdblock/user.datrwxr-xr-x root/root    120 1970-01-01 01:08 mnt/mtdblock/data/alarm.datrwxr-xr-x root/root      0 2021-06-23 09:55 mnt/mtdblock/data/extlog.datrwxr-xr-x root/root      0 2013-05-04 01:28 mnt/mtdblock/data/extuser.datrwxr-xr-x root/root      0 1970-01-01 01:08 mnt/mtdblock/data/group.datrwxr-xr-x root/root      0 1970-01-01 01:08 mnt/mtdblock/data/htimezone.datrwxr-xr-x root/root      0 1970-01-01 01:08 mnt/mtdblock/data/lockgroup.datrwxr-xr-x root/root  54800 2021-06-23 09:55 mnt/mtdblock/data/oplog.datrwxr-xr-x root/root  33200 2021-06-23 07:23 mnt/mtdblock/data/sms.datrwxr-xr-x root/root      0 2021-06-23 09:55 mnt/mtdblock/data/ssrattlog.datrwxr-xr-x root/root    660 2018-11-09 17:28 mnt/mtdblock/data/stkey.datrwxrwxrwx 500/513        0 2013-05-04 01:28 mnt/mtdblock/data/template.datrwxr-xr-x root/root      0 1970-01-01 01:08 mnt/mtdblock/data/timezone.datrwxr-xr-x root/root      0 1970-01-01 01:08 mnt/mtdblock/data/transaction.datrwxr-xr-x root/root    952 2021-06-23 07:24 mnt/mtdblock/data/udata.datrwxr-xr-x root/root      0 1970-01-01 01:08 mnt/mtdblock/data/user.datrwxr-xr-x root/root      0 2013-05-04 01:28 mnt/mtdblock/data/wkcd.dat-----------------------------------------------------------------------In this archive, the file "mnt/mtdblock/templatev10.dat" will likelycontain fingerprints, and the file "mnt/mtdblock/ssruser.dat" containsthe user database. The user database contains 72 byte user records, eachcontaining the privilege level, the PIN, the name of the user, datastored on external authentication tokens like cards, and the group ofthe user.While the cookie value might be guessable, it is not used forauthentication purposes. An attacker with knowledge of thecorresponding URLs could access the user detail view or the backupwithout any authentication.Proof of Concept================http://192.0.2.1/form/DataApp?style=1http://192.0.2.1/form/DataApp?style=0http://192.0.2.1/csl/user?did=0&uid=123Workaround==========Network access to the device should be limited to trustworthy persons.This might be hard to implement if the device is installed in a publicspace, especially if it is used for access control, too.Fix===Currently, it is not known whether a newer version might fix this issue.Due to the age of the product, the vendor might decide not to create afix at all.Security Risk=============Attackers with network access to a ZKTeco ZEM/ZMM time attendance devicecan get access to employee data, including the credentials used foraccessing the time attendance device. If these credentials are used forother purposes than time attendance, such as physical access control,attackers might use them to gain access to protected areas. The actualrisk estimate varies wildly with the kind of access control system inplace and whether network access to the device is prevented by othermeans, such as nearby security guards. For this reason, missingauthentication to the ZEM/ZMM web interface is estimated to pose a mediumrisk. This estimate might need to be adjusted to the specific use caseof the device.Timeline========2021-06-24 Vulnerability identified2021-07-12 Customer approved disclosure to vendor2021-07-16 Vendor notified2021-08-20 Vendor provides fixed firmware2022-09-29 Customer approved release of advisory2022-10-10 CVE ID requested2022-10-15 CVE ID assigned2022-10-24 Advisory publishedReferences==========https://zkteco.eu/company/historyRedTeam Pentesting GmbH=======================RedTeam Pentesting offers individual penetration tests performed by ateam of specialised IT-security experts. Hereby, security weaknesses incompany networks or products are uncovered and can be fixed immediately.As there are only few experts in this field, RedTeam Pentesting wants toshare its knowledge and enhance the public knowledge with research insecurity-related areas. The results are made available as publicsecurity advisories.More information about RedTeam Pentesting can be found at:https://www.redteam-pentesting.de/Working at RedTeam Pentesting=============================RedTeam Pentesting is looking for penetration testers to join our teamin Aachen, Germany. If you are interested please visit:https://jobs.redteam-pentesting.de/-- RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0Alter Posthof 1                           Fax : +49 241 510081-9952062 Aachen                    https://www.redteam-pentesting.deGermany                         Registergericht: Aachen HRB 14004Geschäftsführer:                       Patrick Hof, Jens Liebchen