← Advisories

EyeLock nano NXT 3.5 Local File Disclosure Vulnerability

High

Advisory ID

ZSL-2016-5356

Release Date

10 August 2016

Vendor

EyeLock, LLC - http://www.eyelock.com

Affected Version

NXT Firmware: 3.05.1193 (ICM: 3.5.1), NXT Firmware: 3.04.1108 (ICM: 3.4.13), NXT Firmware: 3.03.944 (ICM: 3.3.2), NXT Firmware: 3.01.646 (ICM: 3.1.13)

CVE

N/A

Tested On

GNU/Linux (armv7l), lighttpd/1.4.35, SQLite/3.8.7.2, PHP/5.6.6

Summary

Nano NXT is the most advanced compact iris-based identity authentication device in Eyelock's comprehensive suite of end-to-end identity authentication solutions. Nano NXT is a miniaturized iris-based recognition system capable of providing real-time identification, both in-motion and at a distance. The Nano NXT is an ideal replacement for card-based systems, and seamlessly controls access to turnstiles, secured entrances, server rooms and any other physical space. Similarly the device is powerful and compact enough to secure high-value transactions, critical databases, network workstations or any other information system.

Description

nano NXT suffers from a file disclosure vulnerability when input passed thru the 'path' parameter to 'logdownload.php' script is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources.

	/scripts/logdownload.php:
------------------------

<?php
   header("Content-Type: application/octet-stream");
   header("Content-Disposition: attachment; filename={$_GET['dlfilename']}");
   readfile($_GET['path']);
?>

Proof of Concept

eyelock_lfd.txtTXT

Disclosure Timeline

10.06.2016Vulnerability discovered.

27.06.2016Contact with the vendor.

09.07.2016No response from the vendor.

10.08.2016Public security advisory released.

11.08.2016Vendor responds confirming the issues scheduling patch release.

15.08.2016Vendor releases NXT Firmware: 3.06.1260 (ICM: 3.5.1) to address these issues.

Credits

Vulnerability discovered by Gjoko Krstic

References