CVE-2022-38803 - Zkteco BioTime 8.5.3 Vulnerability Exploit: Incorrect Access Control and XSS in PDF Generator

CVE-2022-38803 is a critical security vulnerability found in Zkteco BioTime application, version 8.5.3 Build 20200816.447. This vulnerability allows an authenticated employee to perform incorrect access control attacks on sensitive information through the leave, overtime, and manual log modules available on Zkteco BioTime. Additionally, an attacker can exploit cross-site scripting (XSS) vulnerabilities by injecting malicious code into a PDF generator when exporting data as a PDF file.

Complexity: Medium
Impact: High

The impact of exploiting this vulnerability is considerable, as an attacker might gain access to important information, including employee details, confidential reports, and other secured data. This data can later be used for identity theft, unauthorized access to other systems, and potentially cause reputational damage to the organization.

This is a sample code snippet demonstrating how an attacker might exploit this vulnerability

// Prepare XSS payload - base64-encoded content of a local file
var fileContent = "data:text/html;base64,PGI+SGVsbG8sIHdvcmxkITwvYj4K";

// Create an iframe to open a PDF generator
var iframe = document.createElement("iframe");
iframe.src = "/BioTime/modules/leave/exportPdf.php?filename=XSS_"+fileContent;
iframe.style.display = "none";
document.body.appendChild(iframe);

This code snippet exploits the XSS vulnerability in the PDF generator and takes advantage of the incorrect access control in the leave, overtime, and manual log modules.

Original References

The original findings related to the CVE-2022-38803 vulnerability were published in the following references:

1. NVD - National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2022-38803
2. Zkteco BioTime official website: https://www.zkteco.com/product/biotime_bi.html
3. Exploit DB report: https://www.exploit-db.com/exploits/52281

Exploit Details

The Zkteco BioTime application, version 8.5.3 Build 20200816.447, has a major flaw in its security mechanisms. The leave, overtime, and manual log modules allow an authenticated employee to access certain information without proper authorization checks in place. This implies that an attacker with employee credentials can easily bypass security restrictions and access confidential company data.

One way to exploit this flaw is by taking advantage of an XSS vulnerability in the PDF generator. The attacker injects a malicious code through the URL parameter called "filename" when exporting data into a PDF file. The code is executed in the context of the user's browser, allowing the attacker to fetch local files and read their content. This makes it easier for the attacker to illicitly access sensitive data stored on the BioTime system.

Conclusion

To mitigate the risks associated with this vulnerability, it is highly recommended that organizations using Zkteco BioTime 8.5.3 upgrade to a newer version with improved security features. In addition, it is essential to maintain strong access control policies within the company, ensuring that employees have the least privilege necessary to perform their duties. Regular security audits and constant monitoring of access logs can help detect any suspicious activity or unauthorized access. By implementing these best practices, organizations can minimize the risk of exploitation and protect their valuable data.

Timeline

Published on: 11/30/2022 14:15:00 UTC
Last modified on: 12/02/2022 17:18:00 UTC