ZK Scanner

Welcome to ZK Scanner - an Infosec Chicago project!

What is this?

This is a project designed to help people find instances of ZK Framework in response to the CVE-2022-36537 vulnerability.

It should be noted that just because you find an application that has the ZK Framework with this tool, it does not mean that the application is vulnerable. It simply means that you should be checking with the vendor to see if they have released patches to address this vulnerability. If so, you should patch right away. If not, then it might not be a bad idea to reach out to the vendor for confirmation as to whether or not their application is vulnerable (you can refer them to "https://nvd.nist.gov/vuln/detail/CVE-2022-36537" for more information.

If I don't find any presence of ZK with this tool, does that mean that I'm protected?

It's not a guarantee, but it does help provide some peace of mind. As Potix points out, ZK has been around since 2005 and is a leader in the industry; meaning it's used in a lot of software. All our scanner can cover is systems you have direct access to; and even those aren't guaranteed since this is a free service.

What should I do if I find affected applications and the vendor doesn't have a patch yet?

That's a tough spot. Try to put pressure on the vendor as much as you can; but in the meantime, try to get those applications as protected as you can. Make sure they aren't directly accessible from the internet (place behind a VPN or something similar if possible), and ensure you have a WAF with rules to cover this vulnerability if you must have applications accessible publicly. Keep in mind that without an official patch, you may experience downtime and other usability issues with these applications when such mitigations are in place; so they are not a replacement for vendor supported patches, they are just temporary stop-gaps.

Why is this free?

Because I believe in a world where everyone works together for a safer internet. Also, I threw it together really quickly, so it comes without official support or guarantees.

If you found this tool helpful and would like to contribute to future projects that are similar in nature; feel free to check out https://semsec.net/donations/.

Where can I find out more about this issue?

What do the results mean exactly?

Good question. Presence Likely is a pretty obvious field, but the rest probably need a bit of explaining. Essentially the scripts will look for evidence of ZK Framework in the following places:

Classes in java binaries are the most likely to be accurate, the others can occasionally have false positives and may often miss things; but given the cross-platform functionality and limitations of different systems, it seemed best to include all options for best coverage.

You may also notice that you see the same filenames multiple times (especially in the class search) - that is because those files will often include the reference multiple times that the scripts are searching for.

If I see version information in the filename that says it's out of date, does that automatically mean I'm at risk?

Not necessarily. Some developers may choose to simply overwrite those files with the patched version without changing the name to avoid having to do a full release in the event that doing so does not cause issues to their app. Consult with your vendor to be sure.

Do I need to run this as admin/sudo?

No, not necessarily; although you may run a higher risk of a false negative if you do not since it may not be able to scan all files; so use your best judgement as to whether or not you want to.