K-ZkTeco-2023-001.md

---

Kaspersky Advisory

(K-ZkTeco-2023-001) Bypassing ZkTeco-based OEM devices/ZKTeco biometric authentication system via SQLi in QR code

---

Affected Hardware/Software

ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others) with the ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others

Severity level

Impact: Allows you to authenticate under any user from the device database

Access Vector: Physical

CVSS v3 Vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v3 Score

4.6

CVE ID

CVE-2023-3938

Vulnerability description

When displaying a QR code into the device's camera, SQL injection may occur if the request contains a quotation mark. The vulnerable function in library uses the data from the QR code as a string in the SQL query to get fields from the database. So an attacker can embed SQL code and get data about users from the database and thus authenticate.

Remediation

Apply patch from vendor when it will be available for your device.

Acknowledgements

Vulnerability was discovered by Alexander Zaytsev from Kaspersky.

Reference

https://github.com/klsecservices/Publications/blob/master/QR_code_SQL_injection_and_other_vulnerabilities_in_a_popular_biometric_terminal_EN.pdf