ZKTeco BioTime Unauthenticated IDOR Vulnerability in Endpoint Credentials Exposure

A critical Insecure Direct Object Reference (IDOR) vulnerability has been identified in ZKTeco BioTime versions prior to 9.0.3, 9.0.4, and 9.5.2. This vulnerability allows remote attackers to access the '/base/safe_setting/' endpoint without authentication, exposing sensitive encryption passwords in cleartext. During testing, these passwords were found to match the default administrator password, leading to full administrative access on the BioTime system.

Impact

Exploitation of this vulnerability allows for complete administrative takeover of the affected BioTime instance.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/base/safe_setting/' endpoint. In versions 9.0.3 and 9.5.2, this request can be made without any authentication. In version 9.0.4, the request must be made using a session cookie from a low-privilege user, but it will still result in unauthorized access to the sensitive password fields.

Remediation

Users can update to ZKTeco BioTime version 9.0.6, where this vulnerability has been fixed by removing the exposure of sensitive passwords and enforcing proper access controls.