Hello everyone! On this occasion, I would like to share how I discovered a vulnerability in a ZKTeco WDMS system. It all started when I had to review third-party systems, as in this case, where the opportunities to exploit these circumstances are crucial, especially when economic constraints prevent the acquisition of these platforms.

WDMS is Web-based Data Master System, an advanced middleware.
As a middleware, WDMS allows you to deploy on servers and databases for devices and transactions management. Administrators can access WDMS anywhere by the browser or a third-party software by API to handle thousands of devices.

The first thing we encounter is a typical user access. We will skip this process as it is not relevant to this publication.

After logging into the application, a panel is displayed that features a menu, allowing us to view, modify, and delete specific information. This menu serves as a key interface that enables efficient data management. From here, various functions are accessible, facilitating interaction and administration of the information contained in the platform.

Now, we proceed to attempt to modify employee information in the “Emp Name” (EName) field. Initially, we tested with a small payload; however, the results were not satisfactory. This is because the form is validated on the frontend, and the payload must adhere to a maximum of 40 characters.

The results when trying to inject payloads into the form are as follows.

Now, the vulnerability in this form lies in the fact that the information is only validated on the frontend, as mentioned earlier. However, this validation is not performed on the backend, allowing the possibility to intercept the request and modify the information before it is sent.

After sending the payload, we can observe how it is stored, ready to be executed and reflected in the user’s view.

In summary, when attempting to modify employee data, a vulnerability in validation is revealed, which occurs exclusively on the frontend. This allows for the interception and modification of information before it is sent to the backend. The conclusion underscores the importance of implementing more robust validation measures both on the frontend and the backend to prevent potential security breaches.

• 2023–12–14 Vulnerability identified
• 2023–12–18 Customer approved disclosure to vendor
• 2024–01–09 Reserved CVE-2023–51157 by the Mitre
• 2024–01–?? Vendor notified 🦗🦗🦗