How Misconfigured and Vulnerable Devices Could Expose Your Company to Physical and Cyber Threats
Recently, we were given the mission to conduct an internal and wireless security assessment for one of our clients. Following the discovery of vulnerabilities in their network security and the acquisition of access to their wireless infrastructure, we were able to carry out remote network scanning of their internal systems. After enumerating their running services and probing for open web services, one of the interesting web applications that caught our attention was “Web Server 3.0 by ZKSoftware” as it appeared vulnerable at first sight.
We observed that this was a biometric device which stores a list of users and their credentials to prove employees’ attendance. PINs, card readers, or fingerprints were used as credentials which could all be managed from the web interface. The same biometric device could be used to open doors, but it was not being used for this purpose yet by our client. Hypothetically, an attacker could have gained physical access to their building by adding their own card to their system, and using their badge or card to open the building's door.
This biometric’s web interface not only had default credentials, but also allowed us to create a new user or alter an existing one and perform actions on their behalf after logging in with default credentials. The team also identified a serious weakness in its access control, which allowed unauthenticated users to obtain unauthorized access to system backup files holding sensitive information including hard-coded credentials for the root account.
The following blog post intends to shed light on the significance of these results, emphasizing the potential impact of such security flaws. Through this research, we will emphasize the necessity of strong security procedures and the critical need for enterprises not to use misconfigured and vulnerable devices for critical-business purposes.
After discovering the web interface and understanding that it was related to the biometric device, we started testing for default credentials, after a few tries, we managed to log in with the username administrator and the password 123456.
As previously stated, this was a biometric device, which stored a list of users and their credentials to prove employees’ attendance but it could also be used to grant access to the building (which was not used for this purpose yet). Keep in mind that PINs, card readers, or fingerprints could be used as credentials and were managed from the web interface.
At this point we were able to add a new user with a particular Card ID, after which we could use our physical attacking device (FlipperZero) that could imitate an RFID card to get beyond the authentication mechanism that was located at the entrance door of the object.
This web application featured an additional function that allowed us to download the device backup files. Despite the fact that these files were tar archives, the “.dat” file extension was used to save them.
From the left menu, we clicked on “Backup” then selected the “Backup System Data” and clicked on “Save” button. A “device_randomnumber.dat” file was downloaded to our machine.
In the background, this action sends a POST request to http://target_ip/form/DataApp with a style=1 parameter as the body request.
The most concerning aspect was that we could exploit this flaw without authentication by converting the request from POST to GET by directly providing the style parameter in the URL, such as one of the links below:
The web server returns the file “device.dat” (corresponding to the option “Backup System Data” in the web interface) when the parameter “style” has the value “1,” and returns the file “data.dat” (corresponding to the option “Backup User Data” in the web interface) when the parameter has any other value.
In order for us to correctly extract this file, we had to modify the extension from “.dat” to “.tgz”, then use the following command to extract items.
- $> tar xvzf data.tgz
Following an analysis of the extracted directories, we identified a file named “options.cfg” that included hardcoded credentials.
After that, we were able to log into the device by using a set of cleartext credentials that was retrieved from the “options.cfg” file to log into the device by using the telnet application (which is accessible in major operating systems) and from there perform any action on the device since we had root privileges.
As an example, we were able to obtain the most recent picture of the check-in process, which was taken at the entrance door. This could be accomplished by starting a web server on our local machine and then using the native curl utility which was present on the biometric device, to transfer the file to our web server.
The findings of this security research highlight the critical necessity for companies to invest in comprehensive security measures. The ability to create unauthorized user accounts and use default credentials poses a serious danger, potentially leading to unauthorized access and exploitation of sensitive information. Furthermore, the lack of effective access control contributes to these vulnerabilities by allowing unauthenticated users to swiftly gain access to critical system backup files. Such oversights can have far-reaching effects, resulting in data breaches, compromised user accounts, and significant damage to reputation.
Organizations must take a proactive approach to security to mitigate these dangers. This includes doing frequent vulnerability assessments and penetration testing assessments, ensuring strong authentication methods, implementing strong access controls, and having a patching program in place to help resolving found vulnerabilities as soon as possible. Organizations may protect their systems and sensitive data by prioritizing security measures and being aware against potential threats.
Finally, this blog article serves as a reminder that security should be a continual and fundamental component of the development process for any type of application, including web application used by any type of device. It is recommended to follow the below guidelines in order to limit the risk of such attack vectors.
- The first and most important step is to change the default login credentials for all devices, including routers, modems, and other network devices. This will prevent an attacker from easily guessing the default login information and gaining unauthorized access to the device.
- Implement strong password policies that require users to create complex and unique passwords. This will make it more difficult for an attacker to crack the login credentials.
- Keep all software and firmware up-to-date. This will ensure that any known vulnerabilities have been patched and that the device is protected against the latest threats.
- Regularly monitor and audit devices for any suspicious or unauthorized access attempts. This will help to detect any breaches early and take appropriate action to remediate the issue.
- Use security tools such as vulnerability scanners and intrusion detection systems to regularly check for vulnerabilities and monitor for suspicious activity.
