Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-56902 PoC — Geovision GV-ASWeb 安全漏洞

Source
https://github.com/DRAGOWN/CVE-2024-56902
Associated Vulnerability
Title:Geovision GV-ASWeb 安全漏洞 (CVE-2024-56902)
Description:Information disclosure vulnerability in Geovision GV-ASManager web application with the version v6.1.0.0 or less, which discloses account information, including cleartext password.
Description
CVE-2024-56902 - Information disclosure vulnerability in GeoVision ASManager web application version v6.1.0.0 or less.
Readme
# CVE-2024-56902
CVE-2024-56902 - Information disclosure vulnerability in [Geovision GV-ASManager](https://www.geovision.com.tw) web application with version v6.1.0.0 or less.

# Requirements
To perform successful attack an attacker requires:
  - GeoVision ASManager version 6.1.0.0 or less
  - Network access to the GV-ASManager web application (there are cases when there are public access)
  - Access to Guest account (enabled by default), or any low privilege account (Username: `Guest`; Password: `<blank>`)

# Impact
The vulnerability can be leveraged to **perform the following unauthorized actions**:
+ A low privilege account is able to:
  - Enumerate user accounts
  - Retrieve cleartext password of any account in GV-ASManager.
+ After reusing the retrieved password, **an attacker will be able to**:
  - Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
  - Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
  - Disrupt and disconnect services such as monitoring cameras, access controls.
  - Clone and duplicate access control data for further attack scenarios.
  - Reusing retrieved password in other digital assets of the organization.

# CVE-2024-56902 PoC [Testing GeoVision v6.1.0.0]
### Operators:

<img src="https://github.com/user-attachments/assets/04502d72-962b-4bde-bbec-94107fdc20b3" width="700">

> Accounts list before we start attack [We own the Guest account]

The Guest account by default is not authorized to read the list of accounts, but because of Broken Access Control vulnerability ([CVE-2024-56898](https://github.com/DRAGOWN/CVE-2024-56898)) we are able to list all the accounts with Guest user shown below:

<img src="https://github.com/user-attachments/assets/5c7877c6-f1be-4b18-924f-c6b81441239b" width="700">

> Listing all the accounts with Guest user

Now as we already know the list of users, we can attack a specific account - Administrator

<img src="https://github.com/user-attachments/assets/65166a8a-ba37-4deb-9542-509b4be50169" width="700">

> Retrieving Administrator account's password

<img src="https://github.com/user-attachments/assets/0d78f9d2-f75f-4f3c-81c8-3adb8890d4dd" width="700">

> Logging in the web application as the Administrator

### The vendor of the product **GeoVision** is informed and they already released the newest fixed version 6.1.2.0 (as of January 2025)
**INFO: While the version 6.1.1.0 is also fixed to the above described vulnerability, it is still vulnerable to another attack - Cross-Site Request Forgery [Described here: [LINK](https://github.com/DRAGOWN/CVE-2024-56901)].**

Download the latest version from [here](https://www.geovision.com.tw/download/product/)

## Contact
If you have a question, you can contact me, Giorgi Dograshvili on [LinkedIn](https://ge.linkedin.com/in/giorgi-dograshvili).
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →