Associated Vulnerability
Title:Geovision GV-ASWeb 安全漏洞 (CVE-2024-56903)Description:Geovision GV-ASWeb是中国奇偶(Geovision)公司的一个基于 Web 的软件,用于远程访问和配置 GV-ASManager 的数据库。 Geovision GV-ASWeb 6.1.1.0及之前版本存在安全漏洞,该漏洞源于存在跨站请求伪造 (CSRF) ,允许攻击者通过提供精心设计的 HTTP 请求执行任意操作。
Description
CVE-2024-56903 - Geovision GV-ASManager web application with the version 6.1.1.0 or less allows attackers to modify POST requests with GET in critical functionalities, such as account management. This vulnerability is used in chain with CVE-2024-56901 for a successful CSRF attack.
Readme
# CVE-2024-56903
CVE-2024-56903 - [Geovision GV-ASManager](https://www.geovision.com.tw) web application with the version 6.1.1.0 or less allows attackers to modify POST request method with the GET againsts critical functionalities, such as account management. This vulnerability is used in chain with [CVE-2024-56901](https://github.com/DRAGOWN/CVE-2024-56901) for a successful CSRF attack.
# Requirements
To perform successful attack an attacker requires:
- GeoVision ASManager version 6.1.1.0 or less
- Network access to the GV-ASManager web application (there are cases when there are public access)
- **To perform the CSRF attack:** Administrator's interaction with an open session in the browser
# Impact
The vulnerability can be leveraged to **perform the following unauthorized actions**:
+ A unauthorized account is able to:
- Modify POST request method with GET.
- Craft a malicious HTML page which, if triggered, makes changes in the application on behalf of the logged-in account.
- [Create a new administrator account on behalf of the legit administrator account after triggering the malicious link.](https://github.com/DRAGOWN/CVE-2024-56901)
+ After the successful attack, **an attacker will be able to**:
- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
- Disrupt and disconnect services such as monitoring cameras, access controls.
- Clone and duplicate access control data for further attack scenarios.
- Perform [CVE-2024-56902](https://github.com/DRAGOWN/CVE-2024-56902) attack to retrieve cleartext password that can be reused in other digital assets of the organization.
# CVE-2024-56903 PoC [Testing GeoVision v6.1.1.0]
### Operators:
<img src="https://github.com/user-attachments/assets/04502d72-962b-4bde-bbec-94107fdc20b3" width="700">
> Accounts list before we start attack
<img src="https://github.com/user-attachments/assets/99a792e6-83e6-4900-b40b-b49e6db49e76" width="700">
> When creating a new account POST request method is used
<img src="https://github.com/user-attachments/assets/408e3041-bae5-4c0a-ab28-400ba47612d8" width="700">
> Changing POST request method with GET
<img src="https://github.com/user-attachments/assets/c6c2ef4f-e5de-4238-bd57-5ec83dce9409" width="700">
> The new account has been created with GET request method
As it is visible, web application allows to change request method. By creating a new account with GET request method and the lack of CSRF token, we can assume there is a CSRF vulnerability, which is described in [CVE-2024-56902](https://github.com/DRAGOWN/CVE-2024-56902).
### The vendor of the product **GeoVision** is informed and they already released the newest fixed version 6.1.2.0 (as of January 2025)
Download the latest version from [here](https://www.geovision.com.tw/download/product/)
## Contact
If you have a question, you can contact me, Giorgi Dograshvili on [LinkedIn](https://ge.linkedin.com/in/giorgi-dograshvili).
File Snapshot
[4.0K] /data/pocs/cbb991a91974805dd054ad5b07b1b9dd41505de5
└── [3.2K] README.md
0 directories, 1 file
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.