关联漏洞
标题:
N/A
(CVE-2024-56902)
描述:Geovision GV-ASWeb 版本 6.1.0.0 及以下存在一个问题,使得未经授权的低权限攻击者能够通过构造的 HTTP 请求获取其他账户的信息。
描述
CVE-2024-56902 - Information disclosure vulnerability in GeoVision ASManager web application version v6.1.0.0 or less.
介绍
# CVE-2024-56902
CVE-2024-56902 - Information disclosure vulnerability in [Geovision GV-ASManager](https://www.geovision.com.tw) web application with version v6.1.0.0 or less.
# Requirements
To perform successful attack an attacker requires:
- GeoVision ASManager version 6.1.0.0 or less
- Network access to the GV-ASManager web application (there are cases when there are public access)
- Access to Guest account (enabled by default), or any low privilege account (Username: `Guest`; Password: `<blank>`)
# Impact
The vulnerability can be leveraged to **perform the following unauthorized actions**:
+ A low privilege account is able to:
- Enumerate user accounts
- Retrieve cleartext password of any account in GV-ASManager.
+ After reusing the retrieved password, **an attacker will be able to**:
- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
- Disrupt and disconnect services such as monitoring cameras, access controls.
- Clone and duplicate access control data for further attack scenarios.
- Reusing retrieved password in other digital assets of the organization.
# CVE-2024-56902 PoC [Testing GeoVision v6.1.0.0]
### Operators:
<img src="https://github.com/user-attachments/assets/04502d72-962b-4bde-bbec-94107fdc20b3" width="700">
> Accounts list before we start attack [We own the Guest account]
The Guest account by default is not authorized to read the list of accounts, but because of Broken Access Control vulnerability ([CVE-2024-56898](https://github.com/DRAGOWN/CVE-2024-56898)) we are able to list all the accounts with Guest user shown below:
<img src="https://github.com/user-attachments/assets/5c7877c6-f1be-4b18-924f-c6b81441239b" width="700">
> Listing all the accounts with Guest user
Now as we already know the list of users, we can attack a specific account - Administrator
<img src="https://github.com/user-attachments/assets/65166a8a-ba37-4deb-9542-509b4be50169" width="700">
> Retrieving Administrator account's password
<img src="https://github.com/user-attachments/assets/0d78f9d2-f75f-4f3c-81c8-3adb8890d4dd" width="700">
> Logging in the web application as the Administrator
### The vendor of the product **GeoVision** is informed and they already released the newest fixed version 6.1.2.0 (as of January 2025)
**INFO: While the version 6.1.1.0 is also fixed to the above described vulnerability, it is still vulnerable to another attack - Cross-Site Request Forgery [Described here: [LINK](https://github.com/DRAGOWN/CVE-2024-56901)].**
Download the latest version from [here](https://www.geovision.com.tw/download/product/)
## Contact
If you have a question, you can contact me, Giorgi Dograshvili on [LinkedIn](https://ge.linkedin.com/in/giorgi-dograshvili).
文件快照
[4.0K] /data/pocs/0d0d6671f3838871d9a5e78121e806718a904d58
└── [2.9K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。