ZKTeco ZKTime.Net Insecure File Permissions

Title: ZKTeco ZKTime.Net Insecure File Permissions
Advisory ID: ZSL-2016-5360
Type: Local
Impact: Privilege Escalation
Risk: (2/5)
Release Date: 30.08.2016
ZKTime.Net V3.0 is a new generation time attendance management software. Meanwhile, it integrates with time attendance and access control system. Some frequently used functions such as attendance reports, device management and employee management can be managed directly on the home page which providing excellent user experience. Owing to the Pay code function, it can generate both time attendance records and corresponding payroll in the software and easy to merge with the most ERP and Payroll software, which can rapidly upgrade your working efficiency. The brand new flat GUI design and humanized structure will make your daily management more pleasant and convenient.
ZKTime.Net suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'C' flag (Change) for 'Everyone' group, making the entire directory 'ZKTimeNet3.0' and its files and sub-dirs world-writable.
ZKTeco Inc. - http://www.zkteco.com
Affected Version (160622) (160216)
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Vendor Status
[18.07.2016] Vulnerability discovered.
[27.07.2016] Vendor contacted.
[29.08.2016] No response from the vendor.
[30.08.2016] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
[1] https://cxsecurity.com/issue/WLB-2016080264
[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/116487
[3] https://packetstormsecurity.com/files/138565
[4] https://www.exploit-db.com/exploits/40322/
[30.08.2016] - Initial release
[26.09.2016] - Added reference [1], [2], [3] and [4]
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk