searching for vulnerabilities in a biometric terminal
Last week, Kaspersky Lab researchers
a detailed report on the search for vulnerabilities in the biometric terminal of the ZKTeco company. The terminal provides facial recognition for users, but also provides backup authentication methods: using a PIN code and using a QR code, which is scanned by the built-in camera. The article describes in detail the typical process of examining a device to search for hardware and software vulnerabilities, including analysis of hardware, physical and network interfaces, and firmware research. The list of vulnerabilities found is no less interesting: a total of 24 were discovered. The authors of the work come to the conclusion that the advanced technology was implemented in an extremely unsafe manner.
In addition to traditional vulnerabilities, such as a hard-wired SSH password, missing or easily hackable security for communications using a proprietary network protocol, the ZKTeco device was found to carry out an attack using a “malicious” QR code. The absence of necessary checks of user-entered data either leads to an emergency reboot of the biometric terminal, or, what is much more interesting, allows for SQL injection and thus bypassing the authentication system. Detailed technical descriptions of each vulnerability published in the GitHub repository.
The ZKTeco terminal under study looks like this:
And this is what “hacking” this terminal looks like using a prepared QR code:
The QR code encodes a query to the database. Because there is little to no validation of user input, this request succeeds. This leads to the terminal “opening” access without any problems. Further analysis of the firmware showed that this attack method has one small limitation: the size of the processed data is limited to 20 bytes:
This does not allow complex SQL injections, but in any case it is possible to completely bypass the security system for which the terminal is, in fact, designed. Moreover, if you “show” a device a QR code with a large amount of encoded data (1 kilobyte or more), it will be read, but will cause the processor to freeze. The absence of a response from this function is regarded as an emergency situation, which leads to a forced reboot of the device. In addition to this successfully found vulnerability, the study also shows dead-end search directions. For example, connecting to the serial interface pins on the board, although it made it possible to read the download log, did not help in finding vulnerabilities. Analysis of network interfaces revealed the ability to communicate with the device via SSH on a non-standard port, as well as a proprietary network protocol on port TCP 4370. This information was useful later, after analyzing the device’s firmware.
We managed to find a firmware update for one of the variants of this terminal on the Internet. Her analysis showed that the update is encrypted, or rather, easily obfuscated using the XOR function, where the key is the last 16 bytes of the update file and its size. After decryption, it turned out that the update does not contain the full firmware of the device; instead, individual files are updated. However, we managed to extract the full firmware from the flash memory chip of the terminal itself. And now the analysis of the firmware has revealed a whole set of vulnerabilities. Firstly, the password for connecting via the SSH interface turned out to be fixed. Although this does not provide maximum privileges on the device, logging in via SSH allowed access to sensitive data. A separate password is used for authorization using the proprietary protocol (available on port 4370), but it is not even set by default. Even if the device operator has changed this password, it is an integer from 0 to 999999 and can be easily guessed or read by logging in via SSH.
Further analysis of the commands available via the proprietary network interface revealed a number of other vulnerabilities. In particular, the CMD_DELETE_PICTURE command involves sending the name of the file that needs to be deleted to the device. The correctness of this data is also not checked, but the command is executed with system privileges. As a result, this allows you to gain complete control over the device:
Several vulnerabilities leading to buffer overflows and subsequent execution of arbitrary code were also discovered there, as well as another set of potential SQL injection vulnerabilities. Finally, the researchers simulated a situation where a device connects to a malicious control server, which makes a number of hijacking scenarios possible.
Most discovered vulnerabilities require penetration into the (supposedly) secure local network to which the device is connected. Naturally, except for the QR code attack. Analysis of vulnerabilities in the device’s firmware will theoretically allow one to bypass the access control system where such a terminal is installed. The overall result of the work done is as follows: 6 SQL injections, 7 stack buffer overflows, 5 command injections, 4 scripts for writing arbitrary files, 2 options for reading arbitrary files.
What else happened:
Another study Kaspersky Lab experts analyze the security of the Cinterion EHS5-E series industrial modem. During the study, 7 vulnerabilities were discovered in the device.
Microsoft has decided to postpone the launch of the Recall feature, previously scheduled for June 18. Last week we talked in detail about problems with the security of the full history of user actions in the form of screenshots and a database with recognized text.
Interesting publication demonstrates how Github's AI assistant Copilot can expose sensitive data to an attacker. In this scenario, the attacker plants code on the victim developer, which he then analyzes using Copilot. Calling Copilot inside the code results in a request to the attacker’s web server with data about the victim’s communication history with the AI assistant. The vulnerability was closed in early June.
Critical vulnerability closed in a number of popular Asus home routers, including the RT-AX88U, RT-AX58U, RT-AX57 and others. The issue has a CVSS score of close to the maximum of 9.8 and allows you to bypass the device authentication system. For affected devices, it is recommended to download and install the latest firmware: a patch for this vulnerability was released back in April.
In the latest set of patches from Microsoft closed 49 vulnerabilities. Among them is quite serious problem in Windows 10/11, which can lead to remote code execution due to a bug in the driver for Wi-Fi modules. The CVSS rating for this vulnerability is 8.8, but the attacker must be close to the victim to exploit it.
Edition 404media reports about the hacking of the infrastructure of Tile, a geotag developer. However, the hacker did not gain direct access to user data, including the coordinates of client devices.
Google closed a number of vulnerabilities in Pixel devices, including one critical zero-day issue.
