Biometric scanners offer a unique way to resolve the conflict between security and usability. They help to identify a person by their unique biological characteristics – a fairly reliable process that does not require the user to exert any extra effort. Yet, biometric scanners, as any other tech, have their weaknesses. This article touches on biometric scanner security from the red team’s perspective and uses the example of a popular hybrid terminal model to demonstrate approaches to scanner analysis. These approaches are admittedly fairly well known and applied to analysis of any type of device.
生物识别扫描仪提供了一种独特的方法来解决安全性和可用性之间的冲突。它们有助于通过其独特的生物学特征来识别一个人——这是一个相当可靠的过程,不需要用户付出任何额外的努力。然而,与任何其他技术一样,生物识别扫描仪也有其弱点。本文从红队的角度探讨了生物识别扫描仪的安全性,并使用流行的混合终端模型示例来演示扫描仪分析方法。诚然,这些方法相当广为人知,并应用于任何类型的设备的分析。
We also talk about the benefits of biometric scanners for access control systems and their role in ensuring a due standard of security given today’s realities. Furthermore, we discuss vulnerabilities in a biometric scanner from a major global vendor that we found while analyzing its level of security. The article will prove useful for both security researchers and architects.
我们还讨论了生物识别扫描仪对门禁系统的好处,以及它们在确保当今现实情况下的适当安全标准方面的作用。此外,我们还讨论了我们在分析其安全级别时发现的来自全球主要供应商的生物识别扫描仪中的漏洞。本文对安全研究人员和架构师都很有用。
We have notified the vendor about all the vulnerabilities and security issues we found. A CVE entry has been registered for each of the vulnerability types: CVE-2023-3938, CVE-2023-3939, CVE-2023-3940, CVE-2023-3941, CVE-2023-3942, CVE-2023-3943.
我们已将我们发现的所有漏洞和安全问题通知供应商。已为每种漏洞类型注册了 CVE 条目:CVE-2023-3938、CVE-2023-3939、CVE-2023-3940、CVE-2023-3941、CVE-2023-3942、CVE-2023-3943。
A brief overview of biometric terminals
生物识别终端的简要概述
In a security context, biometric terminals are used for personal identification. They rely on the analysis of unique human physical characteristics, such as fingerprints, voice, facial features, or the iris.
在安全环境中,生物识别终端用于个人身份识别。它们依赖于对独特的人体特征的分析,例如指纹、声音、面部特征或虹膜。
Importantly, though, a biometric terminal is somewhat different from a regular scanner. First, it can both acquire biometric data and validate it. Second, terminals can be connected to other scanners, such as electronic pass readers, or support other authentication methods using built-in hardware.
不过,重要的是,生物识别终端与普通扫描仪有些不同。首先,它既可以获取生物识别数据,也可以对其进行验证。其次,终端可以连接到其他扫描仪,例如电子通行证阅读器,或使用内置硬件支持其他身份验证方法。
Their main purpose is to control access to an area or site. As such, they can be used for restricting access to premises that house confidential data, such as a server room or executive office, or to control access to hazardous facilities, such as a nuclear power or chemical plant.
它们的主要目的是控制对区域或站点的访问。因此,它们可用于限制对存放机密数据的场所(例如服务器机房或行政办公室)的访问,或用于控制对危险设施(例如核电站或化工厂)的访问。
Another application is recording employees’ work hours to improve productivity and reduce the likelihood of successful fraud.
另一个应用是记录员工的工作时间,以提高生产力并减少成功欺诈的可能性。
In terms of security, biometric terminals can be said to offer the following benefits:
在安全性方面,生物识别终端可以说具有以下优势:
- Highly accurate identification: biometric data is unique to each human being, which makes it a reliable way of identity verification.
高度准确的识别:生物识别数据对每个人来说都是唯一的,这使其成为一种可靠的身份验证方式。
- Secure: biometric data is difficult to forge or copy, which increases system security.
安全:生物识别数据难以伪造或复制,这增加了系统安全性。
- User-friendly: biometric identification does not require subjects to remember passwords or carry access cards.
用户友好:生物识别不需要受试者记住密码或携带门禁卡。
- Efficiency: biometric terminals can process large amounts of data fast to reduce wait times.
效率:生物识别终端可以快速处理大量数据,减少等待时间。
These devices are not without their downsides, though.
不过,这些设备并非没有缺点。
- Cost: biometric terminals are typically more expensive than traditional access control systems.
成本:生物识别终端通常比传统的门禁系统更昂贵。
- Risk of error: although biometric data is unique, in some cases, systems have misidentified individuals who had damaged fingertips, etc.
错误风险:尽管生物识别数据是唯一的,但在某些情况下,系统会错误地识别出指尖受损的个人等。
- Privacy: some may have concerns about their biometric data being stored and used without their consent.
隐私:有些人可能担心他们的生物识别数据在未经他们同意的情况下被存储和使用。
- Technological limitations: some biometric identification methods (such as face recognition) can be less efficient under low light conditions, when the subject is wearing a mask, etc.
技术局限性:一些生物识别方法(如人脸识别)在弱光条件下、受试者戴着口罩等情况下效率可能较低。
Biometric terminals are quite an intriguing target for a pentester. Vulnerabilities in these devices, positioned at the nexus of the physical and network perimeters, pose risks that can be considered when analyzing the security of both these perimeters.
对于渗透测试仪来说,生物识别终端是一个非常有趣的目标。这些设备中的漏洞位于物理边界和网络边界的交汇处,在分析这两个边界的安全性时可以考虑这些风险。
Some of the goals that can be achieved in terms of offensive security are:
在进攻性安全方面可以实现的一些目标是:
- Authentication bypass and physical access violation
身份验证绕过和物理访问冲突
- Biometric data leak 生物识别数据泄露
- Gaining network access to a device and exploiting that to further develop the attack
获取对设备的网络访问权限并利用它来进一步发展攻击
Now that we have defined the biometric terminal, its applications, benefits and downsides, and security analysis objectives associated with it, we can move on to analyzing a specific device.
现在我们已经定义了生物识别终端、其应用、优点和缺点以及与之相关的安全分析目标,我们可以继续分析特定设备。
A brief overview of the device in question.
相关设备的简要概述。
The device under review is a hybrid biometric terminal made by ZKTeco. It may come under various names depending on the distributor. You can see its external appearance in the photograph below.
正在审查的设备是ZKTeco制造的混合生物识别终端。根据分销商的不同,它可能有不同的名称。您可以在下面的照片中看到它的外观。
External appearance of the device
设备外观
The device has several physical interfaces, supporting four authentication methods: biometric (facial recognition), password, electronic pass, and QR code.
该设备具有多个物理接口,支持四种身份验证方法:生物识别(面部识别)、密码、电子通行证和二维码。
The following physical interfaces are present:
存在以下物理接口:
- RJ45; RJ45接口;
- RS232; RS232接口;
- RS485 (unused); RS485(未使用);
- Wiegand In/Out. 韦根进/出。
A regular (non-privileged) user has few options in terms of interacting with the device: they can only tap one of the two on-screen buttons that you can see in the photograph below.
普通(非特权)用户在与设备交互方面几乎没有选择:他们只能点击您在下图中看到的两个屏幕按钮之一。
Available touchscreen buttons
可用的触摸屏按钮
Tapping a button brings up a prompt for PIN, which is the user’s unique ID in our case.
点击按钮会提示输入 PIN,在我们的例子中,这是用户的唯一 ID。
User ID input interface 用户ID输入界面
If a valid (existing) ID is entered, the screen displays available user-specific authentication options. The example shows a user with the ID 1 and two authentication methods: biometrics and password.
如果输入了有效(现有)ID,则屏幕将显示可用的用户特定身份验证选项。该示例显示具有 ID 1 和两种身份验证方法(生物识别和密码)的用户。
Authentication methods available to the user with the ID 1
ID 为 1 的用户可用的身份验证方法
That is the extent of what a non-administrator or unauthenticated user can do with the terminal.
这是非管理员或未经身份验证的用户可以使用终端执行的操作的范围。
The options available to an administrator are more interesting. With administrator privileges, we can control nearly all of the device settings. The image below shows the maximum-access menu.
管理员可用的选项更有趣。使用管理员权限,我们可以控制几乎所有的设备设置。下图显示了最大访问菜单。
Administrator’s device setup menu
管理员的设备设置菜单
The administrator menu can be used to add new users, manage their levels of access, and change the network and facial scanner settings. As you will see below, administrator access allows for achieving all of the security analysis objectives listed in the previous section. Getting that level of access requires passing authentication as an administrator.
管理员菜单可用于添加新用户、管理其访问级别以及更改网络和面部扫描仪设置。正如您将在下面看到的,管理员访问权限允许实现上一节中列出的所有安全分析目标。要获得该级别的访问权限,需要以管理员身份通过身份验证。
Black box analysis 黑匣子分析
Circuit analysis 电路分析
Our engineering analysis will begin with black box analysis, and namely, circuit analysis. The photograph below shows the circuit board with the following components that we are interested in.
我们的工程分析将从黑匣子分析开始,即电路分析。下图显示了具有我们感兴趣的以下组件的电路板.
- SOC (HI 3516 DV300);
SOC(HI 3516 DV300);
- RAM (K4B4G16E-BCMA, 4Gb);
内存(K4B4G16E-BCMA,4Gb);
- Flash memory (THGBMJG6C1LBAI, 8Gb, BGA-153);
闪存(THGBMJG6C1LBAI、8Gb、BGA-153);
- UART. UART。
Circuit board 电路板
You may notice that the circuit board has many test points. That said, we are only interested in the ones marked with the number 4, as those are the location of a universal asynchronous receiver-transmitter (UART) that we can use to communicate with the device. The flash memory, marked with the number 3, is of interest as well, as it holds the entire firmware in unencrypted form.
您可能会注意到电路板有许多测试点.也就是说,我们只对标有数字 4 的那些感兴趣,因为这些是我们可以用来与设备通信的通用异步接收器-发射器 (UART) 的位置。标有数字 3 的闪存也很有趣,因为它以未加密的形式保存整个固件。
To check that we had recognized the UART correctly, we used an oscilloscope to connect to what we had identified as the TX port through which the device sends data externally.
为了检查我们是否正确识别了 UART,我们使用示波器连接到我们确定的 TX 端口,设备通过该端口向外部发送数据。
Oscilloscope connection to UART
示波器连接到 UART
After calculating the UART data rate and setting the oscilloscope to that value, we saw that this was indeed a UART, and the device was sending a boot log through it.
在计算 UART 数据速率并将示波器设置为该值后,我们看到这确实是一个 UART,并且设备正在通过它发送引导日志。
Boot log 启动日志
Next, we connected to the UART using a PC, which helped us to view the full boot log and identify the bootloader as U-Boot.
接下来,我们使用 PC 连接到 UART,这有助于我们查看完整的启动日志并将引导加载程序识别为 U-Boot。
UART connection from a PC
从 PC 连接 UART
The bootloader configuration prevents any attempts at interrupting startup (bootdelay = -2) or interacting with it in any other way. However, having waited some time after the device booted up, we found that the UART switched to a different baud (bits per second) rate of 115,200 from 57,600 as the device began to send uniform packets, which suggested the use of an unknown protocol.
引导加载程序配置可防止任何中断启动 (bootdelay = -2) 或以任何其他方式与之交互的尝试。然而,在设备启动后等待了一段时间后,我们发现当设备开始发送统一数据包时,UART 从 57,600 切换到不同的波特率(每秒比特数)115,200,这表明使用了未知协议。
The unknown protocol as used by the UART
UART使用的未知协议
Every packet began with a 0x53 0x53 byte, and the fifth byte was always identical to the final one. An online search for these two brought up nothing. Sending similarly formatted packets to the device yielded nothing, either.
每个数据包都以 0x53 0x53 字节开头,第五个字节始终与最后一个字节相同。在网上搜索这两个人一无所获。向设备发送类似格式的数据包也没有任何结果。
Network analysis 网络分析
Another type of black box analysis is scanning network ports. We can use Nmap, a publicly available network scanner utility, to see which ports are open, and try to identify the services running on these and their versions. The screenshot below shows the TCP ports open on the biometric terminal.
另一种类型的黑匣子分析是扫描网络端口。我们可以使用 Nmap(一个公开可用的网络扫描程序实用程序)来查看哪些端口是打开的,并尝试识别在这些端口上运行的服务及其版本。下面的屏幕截图显示了在生物识别终端上打开的 TCP 端口。
Open ports 开放端口
You may notice that the device supports SSH on a non-standard port. In theory, we could connect to that if we get hold of the right credentials. We could potentially extract those from the firmware by using a dictionary attack or brute-forcing the password hash.
您可能会注意到设备在非标准端口上支持 SSH。从理论上讲,如果我们掌握了正确的凭据,我们可以连接到它。我们可能会通过使用字典攻击或暴力破解密码哈希从固件中提取这些内容。
Besides, there were two services that could not be identified automatically. The service running on port 6668/TCP was Tuya Server, but we could not find out its purpose. The service running on port 4370/TCP was more interesting as it used the vendor’s proprietary protocol supported by many of its devices. After searching the web for the protocol, we found that there was documentation available, making our analysis much easier.
此外,还有两项服务无法自动识别。在 6668/TCP 端口上运行的服务是涂鸦服务器,但我们无法找到它的用途。在端口 4370/TCP 上运行的服务更有趣,因为它使用了许多设备支持的供应商专有协议。在网络上搜索协议后,我们发现有可用的文档,使我们的分析变得更加容易。
Searching for the protocol on port 4370/TCP
在端口 4370/TCP 上搜索协议
Camera and QR code scanner analysis
摄像头和二维码扫描仪分析
Our overview of the device mentions that it supports QR code authentication. We decided to see what happened if a code we presented to the device contained invalid data that could disrupt the processing logic. We were able to achieve a result by making the device scan a QR code that contained malicious SQL code.
我们对该设备的概述提到它支持二维码身份验证。我们决定看看如果我们提供给设备的代码包含可能破坏处理逻辑的无效数据,会发生什么。我们能够通过使设备扫描包含恶意 SQL 代码的二维码来获得结果。
A basic SQL injection resulted in the device recognizing us as a valid user.
基本的 SQL 注入导致设备将我们识别为有效用户。
Gaining access with the help of an SQL injection
借助 SQL 注入获得访问权限
We further noticed that making the device scan a QR code containing 1 KB of data or more caused it to go into an emergency reboot, which suggested that some of its components had experienced overflow. More on this in the reverse engineering and firmware analysis section.
我们进一步注意到,让设备扫描包含 1 KB 或更多数据的二维码会导致其进入紧急重启状态,这表明它的某些组件已经出现溢出。有关此内容的更多信息,请参阅逆向工程和固件分析部分。
Getting and unpacking the firmware
获取和解压缩固件
The vendor’s website will not let just anyone download the latest version of the firmware. You can download a PDF file containing the update algorithm, but it is protected with a password that we could not find on any public websites.
供应商的网站不会让任何人下载最新版本的固件。您可以下载包含更新算法的 PDF 文件,但它受我们在任何公共网站上都找不到的密码保护。
Therefore, we had two options for obtaining the firmware: removing the flash memory and dumping it with a programmer, or trying to find a copy on the web.
因此,我们有两种获取固件的选择:移除闪存并将其转储给程序员,或者尝试在网络上查找副本。
Searching the web for the firmware
在网络上搜索固件
To start searching for the firmware, we needed to find out its name and rough version. We were analyzing an unused device fresh out of the box, so we had administrator access to it. Therefore, we could view the device details and find the current firmware version.
要开始搜索固件,我们需要找出它的名称和粗略版本。我们正在分析一个开箱即用的未使用的设备,因此我们具有管理员访问权限。因此,我们可以查看设备详细信息并找到当前的固件版本。
Firmware details as seen in the setup menu
设置菜单中的固件详细信息
The version we had was ZAM170-NF-1.8.25-7354-Ver1.0.0. We used that string and parts of it for our web search.
我们的版本是 ZAM170-NF-1.8.25-7354-Ver1.0.0。我们将该字符串及其部分用于网络搜索。
After running some sophisticated Google search queries, we found a few devices on international distributors’ websites that looked a lot like our terminal.
在运行了一些复杂的谷歌搜索查询后,我们在国际分销商的网站上发现了一些看起来很像我们的终端的设备。
A similar device on an international distributor’s website
国际分销商网站上的类似设备
We also found the firmware, albeit it was an earlier version.
我们还找到了固件,尽管它是早期版本。
Same-series firmware 同系列固件
The firmware was just enough for us to figure out how the update worked. Having downloaded and analyzed the firmware, we found that the update itself was part of a text file to be transformed by specialized software.
固件足以让我们弄清楚更新是如何工作的。下载并分析固件后,我们发现更新本身是要由专用软件转换的文本文件的一部分。
Update text file 更新文本文件
The transformation process was not too sophisticated, with the hexadecimal text records contained in the “DataX” variables converted to the byte format to produce firmware.
转换过程不太复杂,“DataX”变量中包含的十六进制文本记录转换为字节格式以生成固件。
Update binary 更新二进制文件
A quick analysis of the file found that it was encrypted. This led us to examine other files in the archive.
对文件的快速分析发现它已加密。这导致我们检查了存档中的其他文件。
A closer inspection revealed that the device supported partial firmware updates that affected only certain libraries and executables. We found a smaller update package like that inside a directory shipped with the firmware archive that we had downloaded from the distributor website.
仔细检查后发现,该设备支持仅影响某些库和可执行文件的部分固件更新。我们在从分销商网站下载的固件存档附带的目录中发现了一个较小的更新包。
Partial update archive 部分更新存档
Partial update files 部分更新文件
Through a quick analysis of the “standalonecomm” executable, we found that the file handled requests received on port 4370/TCP. The executable also had firmware update functionality. The handler invoked a “zkfp_ExtractPackage” file extractor function that was external to the executable.
通过对“standalonecomm”可执行文件的快速分析,我们发现该文件处理了在端口 4370/TCP 上收到的请求。可执行文件还具有固件更新功能。处理程序调用可执行文件外部的“zkfp_ExtractPackage”文件提取器函数。
Update file extract code 更新文件提取代码
External update image extract function
外部更新镜像提取功能
We failed to find the function in any of the other update files, so we resorted to searching the web. This took us to a repository that had the function in its header file.
我们未能在任何其他更新文件中找到该功能,因此我们求助于搜索网络。这将我们带到了一个在其头文件中包含该函数的存储库。
Searching for the extract function
搜索提取函数
The extract function inside the header file
头文件中的提取函数
We found a library with the function implemented inside the same repository.
我们找到了一个库,该函数在同一个存储库中实现。
The library with the extract function inside the repository
存储库中具有提取功能的库
Searching for the extract function inside the library
在库中搜索提取函数
After analyzing the extract function, we found that it was also used for decrypting the firmware. The screenshot below shows the decrypt code.
在分析了提取功能后,我们发现它也用于解密固件。下面的屏幕截图显示了解密代码。
Update file decrypt code 更新文件解密代码
The encryption used XOR with a key consisting of the last 16 bytes of the update file and the file size. It appeared that now we had all the data we needed to generate a key and decrypt the firmware.
加密使用异或密钥,密钥由更新文件的最后 16 个字节和文件大小组成。现在看来,我们拥有生成密钥和解密固件所需的所有数据。
Once decrypted, the file turned out to contain an update only for some of the executables, libraries and configuration files.
解密后,该文件仅包含某些可执行文件、库和配置文件的更新。
Decrypted update archive 解密的更新存档
This was not too much of an issue, as the executable that handled incoming data on port 4370/TCP – the one we were looking for – was among the contents of the downloaded archive. We still wanted the full firmware, so we tried the other option: reading the flash memory.
这并不是什么大问题,因为在端口 4370/TCP 上处理传入数据的可执行文件(我们正在寻找的可执行文件)是下载存档的内容之一。我们仍然想要完整的固件,所以我们尝试了另一种选择:读取闪存。
Getting the firmware from the flash memory
从闪存中获取固件
As mentioned at the beginning of this section, one could pull a copy of the firmware from the flash memory located on the circuit board.
如本节开头所述,可以从电路板上的闪存中提取固件的副本。
The flash memory on the circuit board
电路板上的闪存
The memory was an eMMC inside a BGA-153 package that was easy to find a programmer clip for, online. Reading the flash memory gave us a file that contained various sections as shown below.
内存是 BGA-153 封装内的 eMMC,很容易在网上找到编程器剪辑。读取闪存为我们提供了一个包含各个部分的文件,如下所示。
Flash memory structure 闪存结构
The section names were generally self-explanatory, but we still ran binwalk, a publicly available utility for data container analysis, to make sure they were correct. The binwalk output is shown below.
这些部分的名称通常是不言自明的,但我们仍然运行了 binwalk,一个用于数据容器分析的公开实用程序,以确保它们是正确的。binwalk 输出如下所示。
The binwalk output for the flash memory dump
闪存转储的 binwalk 输出
Besides all the executables and a Linux kernel, the flash memory contained the credentials of the system’s only two users.
除了所有可执行文件和Linux内核外,闪存还包含系统仅有的两个用户的凭据。
The contents of /etc/shadow
/etc/shadow 的内容
Assuming the users accessed the device via SSH, we tried brute-forcing the hashes to get their passwords. We successfully obtained the password for the user “zkteco” who indeed had SSH access to the terminal.
假设用户通过 SSH 访问设备,我们尝试暴力破解哈希以获取他们的密码。我们成功获取了用户“zkteco”的密码,该用户确实可以SSH访问终端。
Logging in with credentials via SSH
通过 SSH 使用凭据登录
Unfortunately, this user did not have the highest privileges, but we still got access to a number of sensitive system files and a list of running services.
不幸的是,该用户没有最高权限,但我们仍然可以访问许多敏感的系统文件和正在运行的服务列表。
Executables running on the device
设备上运行的可执行文件
The main service is named “main”. It controls everything that is displayed on the screen and talks to other necessary services through a service named “hub”. The latter is a message broker of sorts that provides a convenient interface for services to communicate. A further service of interest is “pushcomm”: an HTTP client that sends requests to a server specified in the device configuration. In other words, the client can be used to attack the device if the attacker can make the device talk to a web server that they control. Read on to find out about attacks that can be implemented by using this method. Also, note that all the services are running with the highest privileges, which makes hijacking the device much easier as any vulnerability that allows code or command execution gives the attacker the highest privileges.
主服务名为“main”。它控制屏幕上显示的所有内容,并通过名为“hub”的服务与其他必要的服务进行通信。后者是一种消息代理,为服务通信提供了方便的接口。另一个值得关注的服务是“pushcomm”:一个 HTTP 客户端,用于将请求发送到设备配置中指定的服务器。换句话说,如果攻击者可以使设备与他们控制的 Web 服务器通信,则客户端可用于攻击设备。请继续阅读,了解可以使用此方法实施的攻击。此外,请注意,所有服务都以最高权限运行,这使得劫持设备变得更加容易,因为任何允许代码或命令执行的漏洞都会为攻击者提供最高权限。
Analyzing the protocol on port 4370/TCP
分析端口 4370/TCP 上的协议
We chose the standalonecomm service as the main object for our analysis as it implements the vendor’s proprietary protocol on port 4370/TCP and contains commands of interest to an attacker that may be implemented improperly.
我们选择独立通信服务作为分析的主要对象,因为它在端口 4370/TCP 上实现供应商的专有协议,并包含攻击者感兴趣的命令,这些命令可能未正确实现。
As mentioned at the beginning of this article, protocol documentation is available from a GitHub repository, which significantly simplifies analysis as one can apply the knowledge to disassembled code to find the handler of the command one is interested in.
如本文开头所述,GitHub 存储库中提供了协议文档,这大大简化了分析,因为可以将知识应用于反汇编代码以找到感兴趣的命令的处理程序。
The protocol structure is fairly simple and typical. A packet consists of a header and a payload. The payload is also divided into a header and data, with the latter largely determined by the command. In some cases, it is a four-byte number, and in others, a string or dataset. A detailed description of the protocol design can be found in the publicly available document repository.
协议结构相当简单和典型。数据包由标头和有效负载组成。有效负载也分为标头和数据,后者主要由命令决定。在某些情况下,它是一个四字节的数字,而在其他情况下,它是一个字符串或数据集。协议设计的详细说明可以在公开的文档存储库中找到。
Protocol authentication and its issues
协议认证及其问题
The protocol’s interesting features include user authentication, which requires knowing the password set on the device. On our device, the password is called “COMKey” and set by the administrator. The password is set to 0 by default, that is, there is no password, and all requests can be run without any authentication.
该协议的有趣功能包括用户身份验证,这需要知道设备上设置的密码。在我们的设备上,密码称为“COMKey”,由管理员设置。密码默认设置为0,即没有密码,所有请求都可以运行,无需任何身份验证。
Besides, COMKey can be an integer from 0 to 999999, so there is a limited number of possible passwords that can be brute-forced over the network. We came across the restriction while analyzing the code that sets the password.
此外,COMKey 可以是 0 到 999999 的整数,因此可以通过网络暴力破解的密码数量有限。我们在分析设置密码的代码时遇到了限制。
COMKey set code COMKey 设置代码
The method used for generating a so-called “MAC” (Message Authentication Code) for protocol authentication is not secure enough either. The generation process relies on reversible operations, so if we can monitor traffic on the network, we can recover the password once the client is authenticated successfully. The generation code is shown in the screenshot below.
用于生成所谓的“MAC”(消息身份验证代码)以进行协议身份验证的方法也不够安全。生成过程依赖于可逆操作,因此,如果我们可以监控网络上的流量,则可以在客户端成功通过身份验证后恢复密码。生成代码显示在下面的屏幕截图中。
MAC generation code MAC生成代码
The SessionId variable is a two-byte value generated by the server and sent to the client, so it can calculate a MAC from the COMKey and return the resulting value to the server.
SessionId 变量是由服务器生成并发送到客户端的双字节值,因此它可以从 COMKey 计算 MAC 并将结果值返回给服务器。
Another password-related security risk is that the COMKey is stored unencrypted in the device database, so an arbitrary file read vulnerability would let us find it out and authenticate over the protocol. Another possible scenario is logging in via SSH and reading the database to obtain the protocol password without a network brute-force attack.
另一个与密码相关的安全风险是 COMKey 以未加密的方式存储在设备数据库中,因此任意文件读取漏洞会让我们发现它并通过协议进行身份验证。另一种可能的情况是通过 SSH 登录并读取数据库以获取协议密码,而无需网络暴力攻击。
The diagram below illustrates the protocol authentication mechanism.
下图说明了协议身份验证机制。
Protocol authentication mechanism
协议认证机制
The client sends a connect command (CMD_CONNECT), and the server returns two bytes that represent a SessionId and are combined with the COMKey to generate a MAC. The client sends the MAC with a CMD_AUTH command, and the server validates that. If the MAC is found to be valid, the server responds with CMD_ACK_OK, and the client is now free to use all available server commands within the current TCP session.
客户端发送连接命令 (CMD_CONNECT),服务器返回两个字节,这两个字节表示 SessionId,并与 COMKey 组合以生成 MAC。客户端使用 CMD_AUTH 命令发送 MAC,服务器对此进行验证。如果发现 MAC 有效,则服务器会以CMD_ACK_OK响应,并且客户端现在可以自由使用当前 TCP 会话中所有可用的服务器命令。
Vulnerability analysis of command handlers
命令处理程序漏洞分析
All commands that become available as a result of successful authentication are handled by one large function with a command ID switcher inside. Below is what its graphic representation looks like.
由于身份验证成功而可用的所有命令都由一个大型函数处理,其中包含一个命令 ID 切换器。下面是它的图形表示形式。
A graphic representation of the command handler
命令处理程序的图形表示形式
Analyzing the function does not involve any great complexity: this is only a matter of time and attention.
分析函数并不涉及任何非常复杂的问题:这只是时间和注意力的问题。
We immediately singled out commands whose names contained the words “DOWNLOAD”, “UPLOAD”, “DELETE” or “UPDATE” as relevant analysis objects.
我们立即挑选出名称中包含“DOWNLOAD”、“UPLOAD”、“DELETE”或“UPDATE”字样的命令作为相关的分析对象。
For example, CMD_DOWNLOAD_PICTURE downloads a user image. It accepts a file name as an argument, which it does not validate in any way before inserting in the file open function. This allows passing, say, directory traversal characters as a file name to fetch an arbitrary system file. The handler code is shown in the screenshot below.
例如,CMD_DOWNLOAD_PICTURE下载用户映像。它接受文件名作为参数,在插入文件打开函数之前,它不会以任何方式验证该参数。这允许将目录遍历字符作为文件名传递,以获取任意系统文件。处理程序代码显示在下面的屏幕截图中。
Image download handler 图像下载处理程序
The command can be used to obtain /etc/shadow, as standalonecomm is running with the highest privileges.
该命令可用于获取 /etc/shadow,因为 standalonecomm 以最高权限运行。
We detected several file read vulnerabilities after finding further commands that passed file names without any filtering. We also found a function that allowed uploading files to arbitrary paths. Given the privileges granted to the service, the function can be leveraged to gain unlimited access to the device.
在发现其他命令在没有任何筛选的情况下传递文件名后,我们检测到多个文件读取漏洞。我们还发现了一个允许将文件上传到任意路径的功能。鉴于授予该服务的权限,可以利用该功能来获得对设备的无限制访问。
An analysis of CMD_DELETE_PICTURE revealed the possibility of embedding shell commands due to the name of the image to be deleted being inserted directly into the command, which was then passed to the “system” function.
对CMD_DELETE_PICTURE的分析揭示了嵌入 shell 命令的可能性,因为要删除的图像的名称直接插入到命令中,然后传递给“系统”功能。
Image delete handler 图像删除处理程序
We wrote PoC scripts to confirm that the vulnerability can be exploited. See below for script output.
我们编写了 PoC 脚本来确认该漏洞可被利用。有关脚本输出,请参阅下文。
PoC script output PoC脚本输出
We also found several buffer overflow vulnerabilities associated with the use of insecure strcpy/sprintf functions and a lack of copied buffer size validation in the “memcpy” function. We will use the example of the CMD_CHECKUDISKUPDATEPACKPAGE handler to examine the issue.
我们还发现了几个与使用不安全的 strcpy/sprintf 函数相关的缓冲区溢出漏洞,以及“memcpy”函数中缺少复制的缓冲区大小验证。我们将使用 CMD_CHECKUDISKUPDATEPACKPAGE 处理程序的示例来检查该问题。
CMD_CHECKUDISKUPDATEPACKPAGE handler
CMD_CHECKUDISKUPDATEPACKPAGE处理程序
The vulnerability stems from the fact that when copying data from a user network packet, the handler uses the packet size specified by the user. The destination buffer is located in the stack and has a size of 1028 bytes. The user specifying a greater data size in the packet results in a buffer overrun. The executable has no stack overflow protection. Malicious actors can exploit the vulnerability to invoke a ROP chain and execute arbitrary code that opens remote access to the device.
该漏洞源于以下事实:从用户网络数据包复制数据时,处理程序使用用户指定的数据包大小。目标缓冲区位于堆栈中,大小为 1028 字节。用户在数据包中指定更大的数据大小会导致缓冲区溢出。可执行文件没有堆栈溢出保护。恶意行为者可利用此漏洞调用 ROP 链并执行任意代码,从而打开对设备的远程访问。
Finally, we discovered SQL injection vulnerabilities virtually everywhere a string value passed by the user inside a network packet was directly inserted into a database query.
最后,我们发现几乎在网络数据包中用户传递的字符串值直接插入到数据库查询中的所有地方都存在 SQL 注入漏洞。
pushcomm analysis Pushcomm 分析
As mentioned above, the pushcomm service sends requests to a server specified in the device configuration. To set up the server address, the administrator goes to the “COMM” menu and opens “Cloud Server Setting”. The administrator defines an IP address to connect to and a port, also enabling other options as required. The screenshots below show the configuration menu.
如上所述,pushcomm 服务向设备配置中指定的服务器发送请求。要设置服务器地址,管理员进入“COMM”菜单并打开“云服务器设置”。管理员定义要连接到的 IP 地址和端口,并根据需要启用其他选项。下面的屏幕截图显示了配置菜单。
COMM menu COMM 菜单
Cloud Server Setting menu
云服务器设置菜单
An analysis of the executable showed that it was prone to the same issues as standalonecomm. However, exploiting the flaws requires spinning up a web server and making the device talk to it. There is more than one way to do this: by changing settings in the database or the admin menu, or via ARP spoofing.
对可执行文件的分析表明,它容易出现与 standalonecomm 相同的问题。但是,利用这些缺陷需要启动Web服务器并使设备与之通信。有多种方法可以做到这一点:通过更改数据库或管理菜单中的设置,或者通过 ARP 欺骗。
Note that one of the pushcomm commands is named “SHELL”, and it runs any commands on the device.
请注意,其中一个 pushcomm 命令名为“SHELL”,它会在设备上运行任何命令。
SHELL handler SHELL 处理程序
All it takes to execute the command is spinning up a web server and implementing the following handler.
执行该命令所需的只是启动 Web 服务器并实现以下处理程序。
Example of a handler to invoke SHELL
调用 SHELL 的处理程序示例
Overall, there is considerable overlap between pushcomm and standalonecomm code, especially in terms of database queries.
总体而言,pushcomm 和 standalonecomm 代码之间存在相当大的重叠,尤其是在数据库查询方面。
QR code handler analysis
QR码处理程序分析
At the beginning of the article, we mentioned that the device authenticated us as a different user when we made it scan a QR code with SQL injection. However, as we analyzed the code, we found that the size of data that a QR code could contain was limited to 20 bytes. This prevents complex UNION and SELECT injections that can be used to obtain arbitrary data from various fields in the database. The database query that was generated when the device scanned our malicious QR code (code with SQL injection in our case) is shown in the screenshot below.
在文章的开头,我们提到,当我们让它使用 SQL 注入扫描二维码时,设备将我们认证为不同的用户。但是,当我们分析代码时,我们发现 QR 码可以包含的数据大小限制为 20 字节。这可以防止复杂的 UNION 和 SELECT 注入,这些注入可用于从数据库中的各个字段获取任意数据。当设备扫描我们的恶意二维码(在我们的例子中带有SQL注入的代码)时生成的数据库查询显示在下面的屏幕截图中。
Database query when using the QR code
使用二维码时的数据库查询
We also found that we could cause the device reboot by making it scan a QR code that contained a lot of data. Looking at the code, we saw this was due to a piece of code that was waiting on camera data being unable to receive it within a predefined period of two seconds and sending a “reboot” command in response to what it perceived as a malfunction.
我们还发现,我们可以通过让设备扫描包含大量数据的二维码来导致设备重启。查看代码,我们发现这是由于一段等待相机数据的代码无法在预定义的两秒内接收到它,并发送“重新启动”命令以响应它认为的故障。
Camera data wait code 相机数据等待代码
Conclusion 结论
Biometric devices designed to improve physical security can both offer convenient, useful features and introduce new risks for your IT system. When advanced technology like biometrics is enclosed in a poorly secured device, this all but cancels out the benefits of biometric authentication. Thus, an insufficiently configured terminal becomes vulnerable to simple attacks, making it easy for an intruder to violate the physical security of the organization’s critical areas.
旨在提高物理安全性的生物识别设备既可以提供方便、有用的功能,又会给您的 IT 系统带来新的风险。当生物识别等先进技术被封装在安全性较差的设备中时,这几乎抵消了生物识别身份验证的好处。因此,配置不足的终端容易受到简单攻击,使入侵者很容易破坏组织关键区域的物理安全。
Our analysis of the ZKTeco biometric terminal yielded a total of 24 vulnerabilities. Many of those were similar, stemming from an error in the database wrapper library. We generalized these as “multiple vulnerabilities” and stated the type and cause, arriving at a smaller number of CVEs.
我们对 ZKTeco 生物识别终端的分析总共产生了 24 个漏洞。其中许多是相似的,源于数据库包装器库中的错误。我们将这些漏洞概括为“多个漏洞”,并说明了类型和原因,得出了较少数量的 CVE。
In terms of the cold statistics, the results are as follows:
在冷统计方面,结果如下:
- 6 SQL injection vulnerabilities;
6.SQL注入漏洞;
- 7 buffer stack overflow vulnerabilities;
7.缓冲区堆栈溢出漏洞;
- 5 command injection vulnerabilities;
5.命令注入漏洞;
- 4 arbitrary file write vulnerabilities;
4.任意文件写入漏洞;
- 2 arbitrary file read vulnerabilities.
2 个任意文件读取漏洞。
