ZKTeco ZKBioSecurity 3.0 - 'visLogin.jsp' Local Authentication Bypass

EDB-ID:

40327

CVE:

N/A

EDB Verified:

Author:

LiquidWorm

Type:

webapps

Exploit:   /  

Platform:

JSP

Date:

2016-08-31

Vulnerable App: 
ZKTeco ZKBioSecurity 3.0 (visLogin.jsp) Local Authorization Bypass


Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.0_R_230
                  Platform: 3.0.1.0_R_230
                  Personnel: 1.0.1.0_R_1916
                  Access: 6.0.1.0_R_1757
                  Elevator: 2.0.1.0_R_777
                  Visitor: 2.0.1.0_R_877
                  Video:2.0.1.0_R_489
                  Adms: 1.0.1.0_R_197

Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
platform developed by ZKTeco. It contains four integrated modules: access
control, video linkage, elevator control and visitor management. With an
optimized system architecture designed for high level biometric identification
and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
solution for a whole new user experience.

Desc: The issue exist due to the way visLogin.jsp script processes the login
request via the 'EnvironmentUtil.getClientIp(request)' method. It runs a check
whether the request is coming from the local machine and sets the ip variable
to '127.0.0.1' if equal to 0:0:0:0:0:0:0:1. The ip variable is then used as a
username value with the password '123456' to authenticate and disclose sensitive
information and/or do unauthorized actions. 

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Microsoft Windows 7 Professional SP1 (EN)
           Apache-Coyote/1.1
           Apache Tomcat/7.0.56


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5367
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5367.php


18.07.2016

--


C:\Program Files (x86)\BioSecurity\MainResource\tomcat\webapps\ROOT\visLogin.jsp:
---------------------------------------------------------------------------------

1:  <%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
2:  <%@page import="com.zk.common.util.EnvironmentUtil"%>
3:  <%
4:  String path = request.getContextPath();
5:  String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
6:
7:  String ip= EnvironmentUtil.getClientIp(request);
8:  if("0:0:0:0:0:0:0:1".equals(ip))
9:  {
10:     ip = "127.0.0.1";
11: }
12:
13: %>
14: <jsp:include  page="login.jsp"/>
15:   <script type="text/javascript" src="/vis/js/jquery.cookie.js"></script>
16:
17:   <script>
18:       function autoLogin()
19:       {
20:                 $.cookie('backUrl', "visRegistrationAction!registrationTouch.action?type=touch", { expires: 1 });
21:                 $.cookie('customerBackUrl', "visRegistrationAction!registrationTouch.action?type=touch", { expires: 1 });
22:         var ip = "<%=ip%>";
23:         $("#userLoginForm input[name='username']").val(ip);
24:         $("#userLoginForm input[name='password']").val("123456");
25:         $('#userLoginForm').submit();
26:       }
27:       window.onload=autoLogin;
28: </script>

---------------------------------------------------------------------------------
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services