Zero Science Lab » ZKTeco ZKAccess Professional 3.5.3 Insecure File Permissions

ZKTeco ZKAccess Professional 3.5.3 Insecure File Permissions

Title: ZKTeco ZKAccess Professional 3.5.3 Insecure File Permissions
Advisory ID: ZSL-2016-5361
Type: Local
Impact: Privilege Escalation
Risk: (2/5)
Release Date: 30.08.2016

Summary

ZKAccess 3.5 is a desktop software which is suitable for small and medium businesses application. Compatible with all ZKAccess standalone reader controllers, the software can simultaneously manage access control and generate attendance report. The brand new flat GUI design and humanized structure of new ZKAccess 3.5 will make your daily management more pleasant and convenient.

Description

ZKAccess suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'M' flag (Modify) for 'Authenticated Users' group.

Vendor

ZKTeco Inc. - http://www.zkteco.com

Affected Version

3.5.3 (Build 0005)

Tested On

Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)

Vendor Status

[18.07.2016] Vulnerability discovered.
[27.07.2016] Vendor contacted.
[29.08.2016] No response from the vendor.
[30.08.2016] Public security advisory released.

PoC

zkaccess_eop.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://cxsecurity.com/issue/WLB-2016080265
[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/116486
[3] https://packetstormsecurity.com/files/138566
[4] https://www.exploit-db.com/exploits/40323/

Changelog

[30.08.2016] - Initial release
[26.09.2016] - Added reference [1], [2], [3] and [4]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk