tag:blogger.com,1999:blog-20189612.post8871919731284532637..comments2022-04-02T00:43:08.653-07:00Comments on Ignorance is the root of all evil ... ;-): ZKSoftware ZEM500 Authentication BypassScarlet Pimpernelhttp://www.blogger.com/profile/03456568444522595359noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-20189612.post-85039736342941176802016-10-22T15:56:52.201-07:002016-10-22T15:56:52.201-07:00Beyond the obvious snooping around, I am NOT incli...Beyond the obvious snooping around, I am NOT inclined to post a PoC exploit as such. You can try your hand with bash scripting or python with a packet crafting tool like scapy to send UDP packets (while monitoring with wireshark), alternately check if there's a public exploit for the device.<br /><br />Cheers!Scarlet Pimpernelhttps://www.blogger.com/profile/03456568444522595359noreply@blogger.comtag:blogger.com,1999:blog-20189612.post-27913954909364711002016-10-20T08:01:48.852-07:002016-10-20T08:01:48.852-07:00We have a couple of these units for building acces...We have a couple of these units for building access. I can telnet into the boxes, but I would <i>really</i> like to script a terminal command that I could send to either device to unlock a door without having to open the GUI and peck around. Any ideas?Mookiehttps://www.blogger.com/profile/06372435487929062538noreply@blogger.comtag:blogger.com,1999:blog-20189612.post-64733226124965966922016-10-19T22:49:46.146-07:002016-10-19T22:49:46.146-07:00I didn't realize something I did for fun, woul...I didn't realize something I did for fun, would generate interest... But here goes,<br /><br />All you have to do is telnet in to the box, issue a passwd command, change the password and copy it to overwrite, /mnt/mtdblock and /mnt/mtdblock/data<br /><br /># passwd<br />(Once you get the password changed use the following commands)<br /># cp /etc/passwd /mnt/mtdblock<br /># cp /etc/passwd /mnt/mtdblock/data/<br /><br />Default password for the device, that I ahem explored, was solokey, IIRC. <br /><br />I am NOT very sure or updated on the vulnerability as such. It may have been reported and fixed by now (I saw THIS in 2013) - I could be wrong, too... Since some vendors don't fix the vulnerabilities quickly.<br /><br />Sorry about the late reply. All of the above were gleaned from my notes in 2013... <br /><br />Always document the vulnerabilities you play with for later use... :)<br /><br />Cheers,<br />KishScarlet Pimpernelhttps://www.blogger.com/profile/03456568444522595359noreply@blogger.comtag:blogger.com,1999:blog-20189612.post-40591218580622236962016-08-30T12:02:54.981-07:002016-08-30T12:02:54.981-07:00
But any way What is the default telnet name...<br /><br /> But any way What is the default telnet name and login for the Device ?<br /> From Chile ClaudioGuendelmanhttps://www.blogger.com/profile/06128724452766452464noreply@blogger.comtag:blogger.com,1999:blog-20189612.post-83960836793289950182016-07-31T23:00:50.882-07:002016-07-31T23:00:50.882-07:00I don't understand what the bypass is after re...I don't understand what the bypass is after reading your post. Could you please give more details? Thanks!htlcnnhttps://www.blogger.com/profile/04189620604416331307noreply@blogger.comtag:blogger.com,1999:blog-20189612.post-75699327728806343932016-06-01T19:55:56.810-07:002016-06-01T19:55:56.810-07:00Hi your work is so amazing !
I'm an IT guy in...Hi your work is so amazing !<br /><br />I'm an IT guy in a company which uses this ZK fingerprint machine, I'm tired of printing this 'timesheet' record every week, because the layout style it provides is so old and outdated. As I know some web development and some linux/database knowledge, I want to hook directly up to the ZEM500 SQL and read SQL from there, so that I may develop some useful and modern clock-management 'software', what should I do? Since none in our company except me is monitoring this thing( we use that software it provides, yes), how can I get the password and username to that busy box linux? Thanks a lot !Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-20189612.post-75735704319241036672014-07-21T12:24:33.658-07:002014-07-21T12:24:33.658-07:00Please understand the nature of bug doesn't re...Please understand the nature of bug doesn't require you to authenticate.<br /><br />That's why it is called "bypass"<br /><br />Cheers!kishfellowhttp://kishfellow.blogspot.comnoreply@blogger.comtag:blogger.com,1999:blog-20189612.post-353072311687602382014-06-25T09:34:19.832-07:002014-06-25T09:34:19.832-07:00What is the default telnet name and login for the ...What is the default telnet name and login for the ZEM500?Mookiehttps://www.blogger.com/profile/06372435487929062538noreply@blogger.com