Hanwha Techwin Smart Security Manager ActiveMQ CORS Bypass Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Hanwha Techwin Smart Security Manager (SSM) versions 1.32 and 1.4. This vulnerability arises from improper restrictions on the PUT method in the bundled Apache ActiveMQ instance, which is accessible on port 8161. Exploitation involves a Cross-Origin Resource Sharing (CORS) bypass, allowing an attacker to upload malicious files to the web server via JavaScript, ultimately executing arbitrary code with SYSTEM privileges. This issue circumvents server-side mitigations from previous advisories by shifting the exploitation to the client-side.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected system with SYSTEM privileges.

Reproduction

The vulnerability can be reproduced by uploading a crafted file through the ActiveMQ PUT method, exploiting a CORS bypass. This can be done by first creating a Cross-Origin request that bypasses the same-origin policy, and then using JavaScript to upload a file to the server via an XMLHttpRequest. The uploaded file can be a script that, once executed, provides a reverse shell or similar payload, effectively compromising the system.

Remediation

Users are advised to update to Hanwha Techwin Smart Security Manager version 1.41 or later.