ZKTeco ZKBioSecurity 3.0 – ‘visLogin.jsp’ Local Authentication Bypass

Exploit Database
128 阅读

作者： LiquidWorm

日期： 2016-08-31
类别：
- webapps
平台：
- jsp
来源：https://www.exploit-db.com/exploits/40327/

ZKTeco ZKBioSecurity 3.0 (visLogin.jsp) Local Authorization Bypass

Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd

Product web page: http://www.zkteco.com

Affected version: 3.0.1.0_R_230

Platform: 3.0.1.0_R_230

Personnel: 1.0.1.0_R_1916

Access: 6.0.1.0_R_1757

Elevator: 2.0.1.0_R_777

Visitor: 2.0.1.0_R_877

Video:2.0.1.0_R_489

Adms: 1.0.1.0_R_197

Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security

platform developed by ZKTeco. It contains four integrated modules: access

control, video linkage, elevator control and visitor management. With an

optimized system architecture designed for high level biometric identification

and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced

solution for a whole new user experience.

Desc: The issue exist due to the way visLogin.jsp script processes the login

request via the 'EnvironmentUtil.getClientIp(request)' method. It runs a check

whether the request is coming from the local machine and sets the ip variable

to '127.0.0.1' if equal to 0:0:0:0:0:0:0:1. The ip variable is then used as a

username value with the password '123456' to authenticate and disclose sensitive

information and/or do unauthorized actions.

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)

Microsoft Windows 7 Professional SP1 (EN)

Apache-Coyote/1.1

Apache Tomcat/7.0.56

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

@zeroscience

Advisory ID: ZSL-2016-5367

Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5367.php

18.07.2016

C:\Program Files (x86)\BioSecurity\MainResource\tomcat\webapps\ROOT\visLogin.jsp:

---------------------------------------------------------------------------------

1:<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>

2:<%@page import="com.zk.common.util.EnvironmentUtil"%>

3:<%

4:String path = request.getContextPath();

5:String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";

7:String ip= EnvironmentUtil.getClientIp(request);

8:if("0:0:0:0:0:0:0:1".equals(ip))

9:{

10: ip = "127.0.0.1";

11: }

12:

13: %>

14: <jsp:includepage="login.jsp"/>

15: <script type="text/javascript" src="https://www.exploit-db.com/vis/js/jquery.cookie.js"></script>

16:

17: <script>

18: function autoLogin()

19: {

20: $.cookie('backUrl', "visRegistrationAction!registrationTouch.action?type=touch", { expires: 1 });

21: $.cookie('customerBackUrl', "visRegistrationAction!registrationTouch.action?type=touch", { expires: 1 });

22: var ip = "<%=ip%>";

23: $("#userLoginForm input[name='username']").val(ip);

24: $("#userLoginForm input[name='password']").val("123456");

25: $('#userLoginForm').submit();

26: }

27: window.onload=autoLogin;

28: </script>

---------------------------------------------------------------------------------