关联漏洞
标题:
N/A
(CVE-2024-56903)
描述:在Geovision GV-ASWeb版本6.1.1.0及以下版本中存在跨站请求伪造(CSRF)漏洞,攻击者可通过提供一个特制的HTTP请求来执行任意操作。
描述
CVE-2024-56903 - Geovision GV-ASManager web application with the version 6.1.1.0 or less allows attackers to modify POST requests with GET in critical functionalities, such as account management. This vulnerability is used in chain with CVE-2024-56901 for a successful CSRF attack.
介绍
# CVE-2024-56903
CVE-2024-56903 - [Geovision GV-ASManager](https://www.geovision.com.tw) web application with the version 6.1.1.0 or less allows attackers to modify POST request method with the GET againsts critical functionalities, such as account management. This vulnerability is used in chain with [CVE-2024-56901](https://github.com/DRAGOWN/CVE-2024-56901) for a successful CSRF attack.
# Requirements
To perform successful attack an attacker requires:
- GeoVision ASManager version 6.1.1.0 or less
- Network access to the GV-ASManager web application (there are cases when there are public access)
- **To perform the CSRF attack:** Administrator's interaction with an open session in the browser
# Impact
The vulnerability can be leveraged to **perform the following unauthorized actions**:
+ A unauthorized account is able to:
- Modify POST request method with GET.
- Craft a malicious HTML page which, if triggered, makes changes in the application on behalf of the logged-in account.
- [Create a new administrator account on behalf of the legit administrator account after triggering the malicious link.](https://github.com/DRAGOWN/CVE-2024-56901)
+ After the successful attack, **an attacker will be able to**:
- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
- Disrupt and disconnect services such as monitoring cameras, access controls.
- Clone and duplicate access control data for further attack scenarios.
- Perform [CVE-2024-56902](https://github.com/DRAGOWN/CVE-2024-56902) attack to retrieve cleartext password that can be reused in other digital assets of the organization.
# CVE-2024-56903 PoC [Testing GeoVision v6.1.1.0]
### Operators:
<img src="https://github.com/user-attachments/assets/04502d72-962b-4bde-bbec-94107fdc20b3" width="700">
> Accounts list before we start attack
<img src="https://github.com/user-attachments/assets/99a792e6-83e6-4900-b40b-b49e6db49e76" width="700">
> When creating a new account POST request method is used
<img src="https://github.com/user-attachments/assets/408e3041-bae5-4c0a-ab28-400ba47612d8" width="700">
> Changing POST request method with GET
<img src="https://github.com/user-attachments/assets/c6c2ef4f-e5de-4238-bd57-5ec83dce9409" width="700">
> The new account has been created with GET request method
As it is visible, web application allows to change request method. By creating a new account with GET request method and the lack of CSRF token, we can assume there is a CSRF vulnerability, which is described in [CVE-2024-56902](https://github.com/DRAGOWN/CVE-2024-56902).
### The vendor of the product **GeoVision** is informed and they already released the newest fixed version 6.1.2.0 (as of January 2025)
Download the latest version from [here](https://www.geovision.com.tw/download/product/)
## Contact
If you have a question, you can contact me, Giorgi Dograshvili on [LinkedIn](https://ge.linkedin.com/in/giorgi-dograshvili).
文件快照
[4.0K] /data/pocs/cbb991a91974805dd054ad5b07b1b9dd41505de5
└── [3.2K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。