Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-56902 PoC — Geovision GV-ASWeb 安全漏洞

Source
https://github.com/DRAGOWN/CVE-2024-56902
Associated Vulnerability
Title:Geovision GV-ASWeb 安全漏洞 (CVE-2024-56902)
Description:Geovision GV-ASWeb是中国奇偶(Geovision)公司的一个基于 Web 的软件,用于远程访问和配置 GV-ASManager 的数据库。 Geovision GV-ASWeb 6.1.0.0及之前版本存在安全漏洞,该漏洞源于允许未经授权的低级权限攻击者能够通过精心设计的 HTTP 请求,请求有关其他帐户的信息。
Description
CVE-2024-56902 - Information disclosure vulnerability in GeoVision ASManager web application version v6.1.0.0 or less.
Readme
# CVE-2024-56902
CVE-2024-56902 - Information disclosure vulnerability in [Geovision GV-ASManager](https://www.geovision.com.tw) web application with version v6.1.0.0 or less.

# Requirements
To perform successful attack an attacker requires:
  - GeoVision ASManager version 6.1.0.0 or less
  - Network access to the GV-ASManager web application (there are cases when there are public access)
  - Access to Guest account (enabled by default), or any low privilege account (Username: `Guest`; Password: `<blank>`)

# Impact
The vulnerability can be leveraged to **perform the following unauthorized actions**:
+ A low privilege account is able to:
  - Enumerate user accounts
  - Retrieve cleartext password of any account in GV-ASManager.
+ After reusing the retrieved password, **an attacker will be able to**:
  - Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
  - Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
  - Disrupt and disconnect services such as monitoring cameras, access controls.
  - Clone and duplicate access control data for further attack scenarios.
  - Reusing retrieved password in other digital assets of the organization.

# CVE-2024-56902 PoC [Testing GeoVision v6.1.0.0]
### Operators:

<img src="https://github.com/user-attachments/assets/04502d72-962b-4bde-bbec-94107fdc20b3" width="700">

> Accounts list before we start attack [We own the Guest account]

The Guest account by default is not authorized to read the list of accounts, but because of Broken Access Control vulnerability ([CVE-2024-56898](https://github.com/DRAGOWN/CVE-2024-56898)) we are able to list all the accounts with Guest user shown below:

<img src="https://github.com/user-attachments/assets/5c7877c6-f1be-4b18-924f-c6b81441239b" width="700">

> Listing all the accounts with Guest user

Now as we already know the list of users, we can attack a specific account - Administrator

<img src="https://github.com/user-attachments/assets/65166a8a-ba37-4deb-9542-509b4be50169" width="700">

> Retrieving Administrator account's password

<img src="https://github.com/user-attachments/assets/0d78f9d2-f75f-4f3c-81c8-3adb8890d4dd" width="700">

> Logging in the web application as the Administrator

### The vendor of the product **GeoVision** is informed and they already released the newest fixed version 6.1.2.0 (as of January 2025)
**INFO: While the version 6.1.1.0 is also fixed to the above described vulnerability, it is still vulnerable to another attack - Cross-Site Request Forgery [Described here: [LINK](https://github.com/DRAGOWN/CVE-2024-56901)].**

Download the latest version from [here](https://www.geovision.com.tw/download/product/)

## Contact
If you have a question, you can contact me, Giorgi Dograshvili on [LinkedIn](https://ge.linkedin.com/in/giorgi-dograshvili).
File Snapshot

 [4.0K]  /data/pocs/0d0d6671f3838871d9a5e78121e806718a904d58
└── [2.9K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.