Dahua Smart Park Integrated Management Platform Path Traversal Vulnerability Allowing Arbitrary File Upload and Remote Code Execution

A path traversal vulnerability has been identified in the Dahua Smart Park Integrated Management Platform, specifically within the SOAP-based GIS bitmap upload interface. This vulnerability allows unauthenticated remote attackers to upload arbitrary files to the server, including executable JSP payloads, via crafted SOAP requests. Successful exploitation of this vulnerability may lead to remote code execution and full compromise of the affected system. The vulnerability is believed to affect builds released prior to September 2023.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be leveraged to execute malicious JSP payloads on the server, resulting in remote code execution and complete system compromise.

Reproduction

The vulnerability can be reproduced by sending a SOAP request to the '/emap/webservice/gis/soap/poi' interface. The request must include a path traversal payload in the 'arg0' parameter, specifying a location for the uploaded file that traverses outside the intended directory. The 'arg1' parameter should contain the payload to be executed, encoded in Base64. Once the request is processed, the uploaded file can be accessed through the server's URL, executing the payload and achieving remote code execution.

Remediation

Users are advised to update to the latest version of the Dahua Smart Park Integrated Management Platform, as the vulnerability has been addressed in builds released after September 2023.