来源

关联漏洞

描述

CVE-2025-26263 - GeoVision ASManager Windows desktop application with the version 6.1.2.0 or less, is vulnerable to credentials disclosure due to improper memory handling in the ASManagerService.exe process. 

介绍

# CVE-2025-26263
CVE-2025-26263 - GeoVision ASManager Windows desktop application with the version 6.1.2.0 or less, is vulnerable to credentials disclosure due to improper memory handling in the ASManagerService.exe process. 

# Requirements
To perform successful attack an attacker requires:
  - System level access to the GV-ASManager windows desktop application with the version 6.1.2.0 or less;
  - A high privilege account to dump the memory.

# Impact
The vulnerability can be leveraged to **perform the following unauthorized actions**:
+ An attacker with high privilege system user, who isn't authorized to access GeoVision ASManager, is able to:
  - Dump ASManager accounts credentials;
  - Authenticate in ASManager.
+ After the authenticating in ASManager, **an attacker will be able to**:
  - Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
  - Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
  - Disrupt and disconnect services such as monitoring cameras, access controls.
  - Clone and duplicate access control data for further attack scenarios.

# CVE-2025-26263 PoC [Testing GeoVision v6.1.2.0]

Credentials leakage in memory can be dumped and found with two methods:
•	Account which has been authenticated in the software at least once;
•	Account has never been authenticated in the software, but an attacker is able to trigger memory allocation by triggering it with "Forget Password?" function;

<img src="https://github.com/user-attachments/assets/dac9be49-4479-4754-aa76-3b772469e68e" width="700">

> The application runs at system startup

If the account was authenticated at least one time in the software installed in the system we have local access to:

Account which has been authenticated in the software at least once:
<img src="https://github.com/user-attachments/assets/864daafa-bb95-4c98-98f6-fe568137328d" width="700">

Searching username "test" and the related random part "YuYRV6" that has been added to Username.
As it is visible there was added a randomized string "YuYRV6" to the username test, which can be used to find related password.

<img src="https://github.com/user-attachments/assets/c3245651-4669-46cc-b4c9-b1712839299c" width="700">

> Searching "YuYRV6" in the dumped memory which should be added to the related password for the "test" account

<img src="https://github.com/user-attachments/assets/e975e93d-eab8-4535-b487-8e960fe8dd34" width="700">

> Dumping password for account "test"

It seems "Test123!" is the password for account test.
If an account has never been authenticated in the software, an attacker is able to trigger memory allocation by triggering it with "Forget Password?" function and then dump the credentials leaked in memory:
If there is account that has never been authenticated in the software, we can trigger software to allocate the data in the memory by using "Forget Password?" function:

<img src="https://github.com/user-attachments/assets/c2c8ece8-cf14-4e3b-913e-b54c222bd5ce" width="700">

> Using Password recovery function for Administrator user

<img src="https://github.com/user-attachments/assets/093bc291-e9ca-47b5-bb57-35f873b7051d" width="700">

> Software couldn't send the password recovery email

<img src="https://github.com/user-attachments/assets/64c572cd-e7d0-4f02-ba1e-5df1cb8b7405" width="700">

> Dumping memory allocated to ASManagerService.exe and filtering with pattern "bstrpassword"

<img src="https://github.com/user-attachments/assets/e0d21793-08f6-4ada-bb68-47e74f49cb32" width="700">

> Administrator password leaked in memory

It seems "StrongestPass@999" is the password for account Administrator.

## Contact
If you have a question, you can contact me, Giorgi Dograshvili on [LinkedIn](https://ge.linkedin.com/in/giorgi-dograshvili).

文件快照

 [4.0K]  /data/pocs/09200b18471d4d0a23929d56aca02a5bcdd900cb
└── [3.8K]  README.md

0 directories, 1 file

备注