QR Code SQL Injection and Other Vulnerabilities Affect Popular Biometric Terminal

• Security researchers discovered several vulnerabilities in a popular biometric terminal.
• Among them are QR code SQL injection, buffer stack overflow, and more.
• A potential attack against the device could grant the actor high-privilege access.

SecureList researchers analyzed a hybrid biometric terminal made by ZkTeco yielding 24 vulnerabilities and notified the vendor about all the discovered vulnerabilities and security issues. A CVE entry has been registered for each of the vulnerability types: CVE-2023-3938, CVE-2023-3939, CVE-2023-3940, CVE-2023-3941, CVE-2023-3942, and CVE-2023-3943.

Vulnerabilities in these devices pose risks when analyzing the security of physical and network perimeters, permitting authentication bypass, physical access violation, biometric data leak, and network access to a device, with 6 SQL injection, 7 buffer stack overflow, 5 command injection, 4 arbitrary file write, and 2 arbitrary file read vulnerabilities identified.

The ZkTeco hybrid biometric terminal supports four authentication methods: biometric (facial recognition), password, electronic pass, and QR code, and it is equipped with physical interfaces RJ45, RS232, RS485 (unused), and Wiegand In/Out. 

Non-privileged users can interact with the device only by authentication via biometrics or password, while administrator privileges provide access to nearly all of the device settings, including the ability to add new users, manage their levels of access, and change the network and facial scanner settings.

Scanning network ports, the researchers saw that the biometric terminal supports SSH on a non-standard port that a would-be attacker could connect to with correct credentials, in theory. These could be extracted from the firmware by using a dictionary attack or brute-forcing the password hash. 

The research also showed that if the devices scanned a QR code that contained a malicious SQL code, a basic SQL injection resulted in the device recognizing us as a valid user.

The password for a user with SSH access to the terminal was obtained via brute-forcing the hashes. Although this user did not have the highest privileges, it had access to several sensitive system files and a list of running services.

Analysis of command handlers revealed several file-read vulnerabilities, as well as a function that allowed uploading files to arbitrary paths, which can be leveraged to gain unlimited access to the device. 

Not even the method used for generating a so-called “MAC” (Message Authentication Code) for protocol authentication is secure enough, relying on reversible operations. 

Besides, the documentation for the ‘standalonecomm’ service, which runs with the highest privileges and implements the vendor’s proprietary protocol on port 4370/TCP, is found via a GitHub repository and contains commands of interest to an attacker that may be implemented improperly. Any vulnerability that allows code or command execution gives the attacker full privileges.

Biometric scanners are used for identification via people’s unique biological characteristics, such as fingerprints, voice, facial features, or the iris, for controlling access to a building or recording employees’ work hours.

A biometric terminal is somewhat different from a regular scanner. It can acquire and validate biometric data. Besides, it can connect to other scanners, like electronic pass readers, or support other authentication methods via built-in hardware.