← Advisories

ZKTeco ZKBioSecurity 3.0 CSRF Add Superadmin Exploit

Medium

Advisory ID

ZSL-2016-5364

Release Date

31 August 2016

Vendor

ZKTeco Inc. - http://www.zkteco.com

Affected Version

3.0.1.0_R_230, Platform: 3.0.1.0_R_230, Personnel: 1.0.1.0_R_1916, Access: 6.0.1.0_R_1757, Elevator: 2.0.1.0_R_777, Visitor: 2.0.1.0_R_877, Video:2.0.1.0_R_489, Adms: 1.0.1.0_R_197

CVE

CVE-2016-20028

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), Microsoft Windows 7 Professional SP1 (EN), Apache-Coyote/1.1, Apache Tomcat/7.0.56

Summary

ZKBioSecurity3.0 is the ultimate "All in One" web based security platform developed by ZKTeco. It contains four integrated modules: access control, video linkage, elevator control and visitor management. With an optimized system architecture designed for high level biometric identification and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced solution for a whole new user experience.

Description

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Proof of Concept

zkbiosecurity_csrf.htmlTXT

Disclosure Timeline

18.07.2016Vulnerability discovered.

27.07.2016Vendor contacted.

29.08.2016No response from the vendor.

31.08.2016Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://cxsecurity.com/issue/WLB-2016080268

[2]https://exchange.xforce.ibmcloud.com/vulnerabilities/116477

[3]https://packetstormsecurity.com/files/138569

[4]https://www.exploit-db.com/exploits/40325/

[5]https://www.cve.org/CVERecord?id=CVE-2016-20028

Changelog

31.08.2016Initial release

26.09.2016Added reference [1], [2], [3] and [4]

24.03.2026Added reference [5]