HIKVISION iSecure Center Remote Code Execution Scanner

HIKVISION iSecure Center is a comprehensive security management platform widely used by enterprises and organizations to manage security operations. This software helps in integrating various security devices and systems, providing a centralized solution for monitoring and controlling them. It is employed by security personnel in industries such as infrastructure, transportation, government, and commercial sectors. Being a crucial part of security management, iSecure Center offers functionalities like video surveillance management, access control, and alarm systems integration. The platform aims to streamline security operations, allowing users to efficiently handle large-scale security deployments. HIKVISION's solution is designed to provide a holistic approach to security management, ensuring optimal protection and ease of use for its clients.

The Remote Code Execution (RCE) vulnerability in HIKVISION iSecure Center allows an attacker to execute system commands on the target server remotely. This critical vulnerability arises from the improper parsing and execution of certain types of external inputs, allowing for malicious code injection. It exploits the Fastjson component, which could be leveraged to execute arbitrary system commands. Such vulnerabilities are particularly concerning because they can provide attackers with access to sensitive data and system control. If exploited, it could lead to unauthorized access and potential manipulation of critical systems. RCE vulnerabilities are significant because they compromise the confidentiality, integrity, and availability of affected systems.

The vulnerability is executed through a POST request to the endpoint /bic/ssoService/v1/applyCT. The attack payload utilizes specific Java classes to bypass the application’s security mechanisms. It constructs a malicious JSON object with crafted "@type" fields to enable execution. The vulnerability resides in the way the application processes and loads classes, which can be subverted by an attacker to run arbitrary code. This makes it possible for remote attackers to gain system-level privileges without prior authentication. Appropriate defensive measures are essential to prevent exploitation, such as input validation and ensuring component security updates.

Exploiting this vulnerability could have severe consequences. Unauthorized execution of system commands may allow attackers to access and manipulate sensitive information stored on the server. It can lead to data breaches, data loss, and unauthorized control over the security management platform. Additionally, attackers might leverage the RCE to deploy malicious software, pivoting to other systems within the network. The potential for lateral movement within the network increases the risk of further exploitation. Systems could become compromised, leading to a loss of trust and increased financial and reputational damages for affected organizations.

REFERENCES

• https://zhuanlan.zhihu.com/p/647590787
• https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/HIKVISION/HIKVISION%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0applyCTFastjson%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md