Home ZKTeco BioTime Missing Authentication
Post
Cancel

ZKTeco BioTime Missing Authentication

ProductZKTeco BioTime
VendorZKTeco Co., Ltd
Tested Versions8.5.4 - 8.5.5 (Build:20221013.1414beta)
Fixed VersionUnresolved
Vulnerability TypeImproper Access Control
CVSSv3.1 SeverityCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE ReferenceCWE-306
CVE ReferenceCVE-2022-30515

Summary

During a recent penetration test, I stumbled upon an instance of the ZKTeco BioTime web application. This application was linked to a time punch clock taking pictures of employees. The management can then analyse these pictures through the web application or an app.

Through some directory fuzzing, I discovered the world-readable directories /files/photo and /files/biophoto. These directories contained the aforementioned pictures, which were viewable without authenticating to the web app. Since the filename structure used in the web application was incremental, brute-forcing all images present was trivial.

Proof of Concept

Remediation

The vendor failed to respond to any communication, leaving the vulnerability present in a default installation. It is recommended to implement access restrictions to prevent access to this data.

Disclosure Timeline

February 2022Vulnerability Discovered
2022-05-09Vendor contacted
2022-05-16Second contact attempt
2022-11-05Vulnerability Published

References

  1. MITRE CVE Reference
  2. ZKTeco Middle East Website
This post is licensed under CC BY 4.0 by the author.