ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 long-lasting token vulnerability
描述
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.
The vulnerability has been submitted to ZDI on Dec 3, 2019.
ZDI got one response from the vendor which acknowledged but not confirmed the vulnerability. The responsible disclosure expired on April 30, 2020.
The vendor addressed the vulnerability and has recommended to install an updated version of the software. The update can be found via the vendor's link:
Details
The researchers have tried two ways to successfully steal the access token in the HTTP header.
- Use a Python script (zkteco.py, see below) and a self-signed SSL certificate to simulate ZKBiosecurity Server (ADMS) and do ARP spoofing on HTTPS port 8088.
- Wireshark the default deployment, which does HTTP instead of HTTPS.
We found no CSRF to prevent such attack. Moreover, the token has a long life (at least 2 weeks), and is still valid even after FaceDepot 7B (the Android tablet) issues a new token. The token can be used in replay attack, command forgery, arbitrary user addition and privilege escalation (CVE-2020-17474).
We wrote a proof-of-concept to simulate ZKBiosecurity ADMS with reasonably dummy response. The SSL certificate is self-signed. We did not install the CA into the tablet. After taking over ZKBiosecurity Server's IP by arpspoofing, the script is able to obtain the token for further use. FaceDepot tablet reconnects to the server every 2 - 3 minutes and thus automatically submits a legit token.
After SN and token are obtained, it is easy to, for example, create a user, by using cURL:
curl -v -L -X POST -A 'iClock Proxy/1.09' 'http://192.168.0.1:8088/iclock/cdata?SN=LSR1915060003&table=tabledata&tablename=user&count=1' -b 'token=a72182ceb8e4695ea84300155953566d' -H 'Accept: application/push' -H 'Accept-Charset: UTF-8' -H 'Accept-Language: zh-CN' -H 'Content-Type: application/push;charset=UTF-8' -H 'Content-Language: zh-CN' -d@bugoy.user.post
Where the content of bugoy.user.post is:
user uuid= cardno= pin=11111 password= group=1 starttime=0 endtime=0 name=Bugoy Test1 privilege=14 disable=0 verify=0
Vulnerability Type
- CWE-613: Insufficient Session Expiration
- CWE-295: Improper Certificate Validation
Attack Type
Remote
Impact Information Disclosure
true
Attack Vectors
An attacker who is able to sniff the network or arp-spoof with a fake server obtains a long-lasting token.
Mitigation
- Deploy a firewall in front of ZKBiosecurity Server and enforce allowed IP list and allowed MAC list.
- Deny all unlisted access.
Discoverer
Roel Reyes, Joey Costoya, Philippe Lin, Vincenzo Ciancaglini, Morton Swimmer