ZKTeco ZKBioSecurity Local Authorization Bypass Vulnerability in visLogin.jsp

A local authorization bypass vulnerability has been identified in ZKTeco ZKBioSecurity version 3.0.1.0_R_230, specifically within the visLogin.jsp file. This vulnerability allows attackers to authenticate without valid credentials by spoofing localhost requests. The issue arises because the EnvironmentUtil.getClientIp() method incorrectly interprets the IPv6 loopback address as a standard IPv4 loopback address, enabling authentication with a hardcoded password. Exploitation of this vulnerability could lead to unauthorized access to sensitive information and the ability to perform actions without proper authorization.

Impact

Exploitation of this vulnerability bypasses local authentication, allowing unauthorized access to the application with elevated privileges.

Reproduction

To reproduce this vulnerability, send a login request to the ZKBioSecurity application that includes the IPv6 loopback address. The visLogin.jsp script will process this request, recognize it as coming from the local machine, and substitute the IP address with '127.0.0.1'. This IP address will then be used as the username, while the hardcoded password '123456' will be used for authentication. Once authenticated, the user can access sensitive information and perform unauthorized actions within the application.