ZKTeco ZKTime.Net 3.0.1.6 – Insecure File Permissions Privilege Escalation

• Exploit Database
• 34 阅读

• 作者： LiquidWorm
  日期： 2016-08-31
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/40322/

• ZKTeco ZKTime.Net 3.0.1.6 Insecure File Permissions
  
  
  Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
  Product web page: http://www.zkteco.com
  Affected version: 3.0.1.6
  3.0.1.5 (160622)
  3.0.1.1 (160216)
  
  Summary: ZKTime.Net V3.0 is a new generation time attendance
  management software. Meanwhile, it integrates with time attendance
  and access control system. Some frequently used functions such as
  attendance reports, device management and employee management can
  be managed directly on the home page which providing excellent user
  experience. Owing to the Pay code function, it can generate both
  time attendance records and corresponding payroll in the software
  and easy to merge with the most ERP and Payroll software, which can
  rapidly upgrade your working efficiency. The brand new flat GUI design
  and humanized structure will make your daily management more pleasant
  and convenient.
  
  Desc: ZKTime.Net suffers from an elevation of privileges vulnerability
  which can be used by a simple user that can change the executable file
  with a binary of choice. The vulnerability exist due to the improper
  permissions, with the 'C' flag (Change) for 'Everyone' group, making the
  entire directory 'ZKTimeNet3.0' and its files and sub-dirs world-writable.
  
  Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
   Microsoft Windows 7 Professional SP1 (EN)
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2016-5360
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5360.php
  
  
  18.07.2016
  
  --
  
  
  C:\>showacls "c:\Program Files (x86)\ZKTimeNet3.0"
  c:\Program Files (x86)\ZKTimeNet3.0
  EveryoneChange [RWXD]
  NT SERVICE\TrustedInstaller Special Access [A]
  NT AUTHORITY\SYSTEM Special Access [A]
  BUILTIN\AdministratorsSpecial Access [A]
  BUILTIN\Users Special Access [RX]
  CREATOR OWNER Special Access [A]
  
  
  C:\>showacls "c:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.exe"
  c:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.exe
  EveryoneChange [RWXD]
  
  
  
  C:\Program Files (x86)>cacls ZKTimeNet3.0
  C:\Program Files (x86)\ZKTimeNet3.0 Everyone:(OI)(CI)C
  NT SERVICE\TrustedInstaller:(ID)F
  NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
  NT AUTHORITY\SYSTEM:(ID)F
  NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
  BUILTIN\Administrators:(ID)F
  BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
  BUILTIN\Users:(ID)R
  BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:)
  GENERIC_READ
  GENERIC_EXECUTE
  
  CREATOR OWNER:(OI)(CI)(IO)(ID)F
  
  
  C:\Program Files (x86)\ZKTimeNet3.0>cacls *.exe
  C:\Program Files (x86)\ZKTimeNet3.0\LanguageTranslate.exe Everyone:C
  Everyone:(ID)C
  NT AUTHORITY\SYSTEM:(ID)F
  BUILTIN\Administrators:(ID)F
  BUILTIN\Users:(ID)R
  
  C:\Program Files (x86)\ZKTimeNet3.0\unins000.exe Everyone:(ID)C
   NT AUTHORITY\SYSTEM:(ID)F
   BUILTIN\Administrators:(ID)F
   BUILTIN\Users:(ID)R
  
  C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.DBTT.exe Everyone:C
   Everyone:(ID)C
   NT AUTHORITY\SYSTEM:(ID)F
   BUILTIN\Administrators:(ID)F
   BUILTIN\Users:(ID)R
  
  C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.exe Everyone:C
  Everyone:(ID)C
  NT AUTHORITY\SYSTEM:(ID)F
  BUILTIN\Administrators:(ID)F
  BUILTIN\Users:(ID)R
  
  C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.Update.exe Everyone:C
   Everyone:(ID)C
   NT AUTHORITY\SYSTEM:(ID)F
   BUILTIN\Administrators:(ID)F
   BUILTIN\Users:(ID)R
  
  C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.ZKTime5DB.exe Everyone:C
  Everyone:(ID)C
  NT AUTHORITY\SYSTEM:(ID)F
  BUILTIN\Administrators:(ID)F
  BUILTIN\Users:(ID)R