漏洞关键信息 漏洞名称: FaceSentry Access Control System 6.4.8 - Remote SSH Root EDB-ID: 47067 CVE: N/A 作者: LiquidWORM 类型: Remote 平台: Hardware 发布日期: 2019-07-01 受影响版本: - Firmware 6.4.8 build 264 (Algorithm A16) - Firmware 5.7.2 build 568 (Algorithm A14) - Firmware 5.7.0 build 539 (Algorithm A14) 总结: FaceSentry 5AN is a revolutionary smart identity management appliance that offers entry via biometric face. 漏洞细节 利用脚本: Python脚本, 实现远程SSH root访问 漏洞利用过程: - 利用wwwuser账号无需密码执行sudo命令获取root权限 - 配置了大量别名命令, 可以无密码运行敏感命令 测试环境: - Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus) - Linux 3.4.113-sun8i (armv7l) - PHP/7.0.30-0ubuntu0.16.04.1 - PHP/7.0.22-0ubuntu0.16.04.1 - lighttpd/1.4.35 - Armbian 5.38 - Sunxi Linux (sun8i generation) - Orange Pi PC + 漏洞发现者: Gjoko 'LiquidWorm' Krstic (@zeroscience) 公告ID: ZSL-2019-5526 公告URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5526.php