← Advisories

ZKTeco ZKBioSecurity 3.0 (visLogin.jsp) Local Authorization Bypass

Low
Advisory ID
ZSL-2016-5367
Release Date
31 August 2016
Vendor
ZKTeco Inc. - http://www.zkteco.com
Affected Version
3.0.1.0_R_230, Platform: 3.0.1.0_R_230, Personnel: 1.0.1.0_R_1916, Access: 6.0.1.0_R_1757, Elevator: 2.0.1.0_R_777, Visitor: 2.0.1.0_R_877, Video:2.0.1.0_R_489, Adms: 1.0.1.0_R_197
CVE
CVE-2016-20031
Tested On
Microsoft Windows 7 Ultimate SP1 (EN), Microsoft Windows 7 Professional SP1 (EN), Apache-Coyote/1.1, Apache Tomcat/7.0.56
Summary

ZKBioSecurity3.0 is the ultimate "All in One" web based security platform developed by ZKTeco. It contains four integrated modules: access control, video linkage, elevator control and visitor management. With an optimized system architecture designed for high level biometric identification and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced solution for a whole new user experience.

Description

The issue exist due to the way visLogin.jsp script processes the login request via the 'EnvironmentUtil.getClientIp(request)' method. It runs a check whether the request is coming from the local machine and sets the ip variable to '127.0.0.1' if equal to 0:0:0:0:0:0:0:1. The ip variable is then used as a username value with the password '123456' to authenticate and disclose sensitive information and/or do unauthorized actions.

Proof of Concept
zkbiosecurity_local.txtTXT
Disclosure Timeline
18.07.2016Vulnerability discovered.
27.07.2016Vendor contacted.
29.08.2016No response from the vendor.
31.08.2016Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://cxsecurity.com/issue/WLB-2016090003
[2]https://exchange.xforce.ibmcloud.com/vulnerabilities/116488
[3]https://packetstormsecurity.com/files/138571
[4]https://www.exploit-db.com/exploits/40327/
[5]https://www.cve.org/CVERecord?id=CVE-2016-20031
Changelog
31.08.2016Initial release
26.09.2016Added reference [1], [2], [3] and [4]
24.03.2026Added reference [5]