header-logo
Suggest Exploit
vendor:
ZKTime.Net V3.0
by:
Gjoko 'LiquidWorm' Krstic
7,2
CVSS
HIGH
Elevation of Privileges
264
CWE
Product Name: ZKTime.Net V3.0
Affected Version From: 3.0.1.6
Affected Version To: 3.0.1.1 (160216)
Patch Exists: NO
Related CWE: N/A
CPE: a:zkteco:zktimenet:3.0.1.6
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Microsoft Windows 7 Ultimate SP1 (EN), Microsoft Windows 7 Professional SP1 (EN)
2016

ZKTeco ZKTime.Net 3.0.1.6 Insecure File Permissions

ZKTime.Net suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'C' flag (Change) for 'Everyone' group, making the entire directory 'ZKTimeNet3.0' and its files and sub-dirs world-writable.

Mitigation:

Ensure that the permissions of the directory 'ZKTimeNet3.0' and its files and sub-dirs are not world-writable.
Source

Exploit-DB raw data:

ZKTeco ZKTime.Net 3.0.1.6 Insecure File Permissions


Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.6
                  3.0.1.5 (160622)
                  3.0.1.1 (160216)

Summary: ZKTime.Net V3.0 is a new generation time attendance
management software. Meanwhile, it integrates with time attendance
and access control system. Some frequently used functions such as
attendance reports, device management and employee management can
be managed directly on the home page which providing excellent user
experience. Owing to the Pay code function, it can generate both
time attendance records and corresponding payroll in the software
and easy to merge with the most ERP and Payroll software, which can
rapidly upgrade your working efficiency. The brand new flat GUI design
and humanized structure will make your daily management more pleasant
and convenient.

Desc: ZKTime.Net suffers from an elevation of privileges vulnerability
which can be used by a simple user that can change the executable file
with a binary of choice. The vulnerability exist due to the improper
permissions, with the 'C' flag (Change) for 'Everyone' group, making the
entire directory 'ZKTimeNet3.0' and its files and sub-dirs world-writable.

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Microsoft Windows 7 Professional SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5360
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5360.php


18.07.2016

--


C:\>showacls "c:\Program Files (x86)\ZKTimeNet3.0"
c:\Program Files (x86)\ZKTimeNet3.0
                Everyone                  Change [RWXD]
                NT SERVICE\TrustedInstaller Special Access [A]
                NT AUTHORITY\SYSTEM       Special Access [A]
                BUILTIN\Administrators    Special Access [A]
                BUILTIN\Users             Special Access [RX]
                CREATOR OWNER             Special Access [A]


C:\>showacls "c:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.exe"
c:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.exe
                Everyone                  Change [RWXD]



C:\Program Files (x86)>cacls ZKTimeNet3.0
C:\Program Files (x86)\ZKTimeNet3.0 Everyone:(OI)(CI)C
                                    NT SERVICE\TrustedInstaller:(ID)F
                                    NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
                                    NT AUTHORITY\SYSTEM:(ID)F
                                    NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
                                    BUILTIN\Administrators:(ID)F
                                    BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
                                    BUILTIN\Users:(ID)R
                                    BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:)
                                                                  GENERIC_READ
                                                                  GENERIC_EXECUTE

                                    CREATOR OWNER:(OI)(CI)(IO)(ID)F


C:\Program Files (x86)\ZKTimeNet3.0>cacls *.exe
C:\Program Files (x86)\ZKTimeNet3.0\LanguageTranslate.exe Everyone:C
                                                          Everyone:(ID)C
                                                          NT AUTHORITY\SYSTEM:(ID)F
                                                          BUILTIN\Administrators:(ID)F
                                                          BUILTIN\Users:(ID)R

C:\Program Files (x86)\ZKTimeNet3.0\unins000.exe Everyone:(ID)C
                                                 NT AUTHORITY\SYSTEM:(ID)F
                                                 BUILTIN\Administrators:(ID)F
                                                 BUILTIN\Users:(ID)R

C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.DBTT.exe Everyone:C
                                                       Everyone:(ID)C
                                                       NT AUTHORITY\SYSTEM:(ID)F
                                                       BUILTIN\Administrators:(ID)F
                                                       BUILTIN\Users:(ID)R

C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.exe Everyone:C
                                                  Everyone:(ID)C
                                                  NT AUTHORITY\SYSTEM:(ID)F
                                                  BUILTIN\Administrators:(ID)F
                                                  BUILTIN\Users:(ID)R

C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.Update.exe Everyone:C
                                                         Everyone:(ID)C
                                                         NT AUTHORITY\SYSTEM:(ID)F
                                                         BUILTIN\Administrators:(ID)F
                                                         BUILTIN\Users:(ID)R

C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.ZKTime5DB.exe Everyone:C
                                                            Everyone:(ID)C
                                                            NT AUTHORITY\SYSTEM:(ID)F
                                                            BUILTIN\Administrators:(ID)F
                                                            BUILTIN\Users:(ID)R

Navigation

Suggest Exploit

Services By CQR