The researchers have tried two ways to successfully steal the access token in the HTTP header.
Use a Python script (zkteco.py, see below) and a self-signed SSL certificate to simulate ZKBiosecurity Server (ADMS) and do ARP spoofing on HTTPS port 8088.
Wireshark the default deployment, which does HTTP instead of HTTPS.
We found no CSRF to prevent such attack. Moreover, the token has a long life (at least 2 weeks), and is still valid even after FaceDepot 7B (the Android tablet) issues a new token. The token can be used in replay attack, command forgery, arbitrary user addition and privilege escalation (CVE-2020-17474).
We wrote a proof-of-concept to simulate ZKBiosecurity ADMS with reasonably dummy response. The SSL certificate is self-signed. We did not install the CA into the tablet. After taking over ZKBiosecurity Server's IP by arpspoofing, the script is able to obtain the token for further use. FaceDepot tablet reconnects to the server every 2 - 3 minutes and thus automatically submits a legit token.
After SN and token are obtained, it is easy to, for example, create a user, by using cURL:
Administrators of NGINX web servers running PHP-FPM are advised to patch a vulnerability (CVE-2019-11043) that can let threat actors execute remote code on vulnerable, NGINX-enabled web servers. Here’s what you need to know.