ZKTeco ZKBioSecurity Hardcoded Credentials Remote SYSTEM Code Execution Vulnerability

A vulnerability exists in ZKTeco ZKBioSecurity version 3.0.1.0_R_230 due to hardcoded credentials in the included Apache Tomcat server. This flaw allows unauthenticated attackers to access the Tomcat manager application. Exploitation involves using the hardcoded username 'zkteco' and password 'zkt123', found in the tomcat-users.xml file, to authenticate and upload malicious WAR files containing JSP applications. Once uploaded, these applications can execute arbitrary code with SYSTEM privileges.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the system with elevated privileges, potentially leading to a complete compromise of the affected machine.

Reproduction

To reproduce this vulnerability, log into the Tomcat manager application using the hardcoded credentials 'zkteco' for the username and 'zkt123' for the password. After logging in, upload a malicious WAR file containing a JSP web shell. Once the web shell is deployed, it can be used to execute commands on the server with SYSTEM privileges.