During one of the Red Team engagements, I got a chance to pentest a Biometric attendance device which was often used by the client to mark the attendance and to restrict access to specific rooms.
I did not popped any zero days here but in fact the device was poorly configured that it allowed me to get root access on it.
Here’s the snapshot of the device I was testing.
Starting with the assessment, I found that the device was connected to the network and I was able to get its IP address from the device’s network settings.
I did a port scan on the device’s IP and found telnet and a web server running on the remote host.
The only attack surface here was to either compromise the Telnet or Webserver running on the target. Moreover, I could not fingerprint the Telnet version. Also, tried to bruteforce the telnet service using default credentials but nothing worked. I then moved on to follow the Webserver path.
The target was running ZK Web Server 3.0 on port 80
The user manual turned out to be a great guide for me to better understand the working of ZK Web Server 3.0.
I soon found that the Web server was full of vulnerabilities such as access control issues, Session Fixation and Bruteforce attacks to name a few.
Nevertheless, I was able to get access to the admin panel using the default credentials: administrator:123456
I further navigated to the Backup device data section which allowed me to download System and User Data.
Here comes the Worst part:
You can access the backup data by navigating to the URL without authentication due to improper access control.
The Backup System Data downloads a .dat file. The dat file contains ZKConfig.cfg file where Telnet credentials are hardcoded. :D
I was able to log into telnet as root using the obtained credentials.
I found that the firmware was already extracted on the target file system.
I mounted the entire file system on my local machine and analyzed all the files. The file system contained the source code for the webserver which could then be analyzed to look for further vulnerabilities into the web service.
The file system also contained all the user data. The following images are of the people who used device’s Biometric to access the restricted room.
The file system also contained SQLite database which contained user info including their credentials as well as fingerprint and biometric data.
It was possible to modify and add an entry into the SQLite database to authenticate and access the restricted area.
I used Firmwalker to extract any further sensitive and useful stuff I could retrieve from the file system.
Also, it was found that the IOT device backs up all the data into the cloud server using the API. Hence, the IOT device can further be used to pivot and access the cloud host where all the data is backed up.
Going ahead wasn’t within my scope boundary and my objective of the assessment was accomplished.
IOT devices are often misconfigured by vendors and may open doors for anyone to access the sensitive data. In this case, the IOT device not only leaked out all the user info but also gave an opportunity for anyone to access or bypass the access control mechanism.