Skip to content

DRAGOWN/CVE-2024-56898

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
README.md
README.md
 
 

Repository files navigation

CVE-2024-56898

CVE-2024-56898 - Broken access control vulnerability in Geovision GV-ASManager web application with version v6.1.0.0 or less. This vulnerability allows low privilege users perform actions that they aren't authorized to, which can be leveraged to escalate privileges, create, modify or delete accounts.

Requirements

To perform successful attack an attacker requires:

  • GeoVision ASManager version 6.1.0.0 or less
  • Network access to the GV-ASManager web application (there are cases when there are public access)
  • Access to a Guest account (enabled by default: Username: Guest; Password: <blank>), or any low privilege account.

Impact

The vulnerability can be leveraged to perform the following unauthorized actions:

  • A low privilege account which isn't authorized to manage accounts is able to:
    • Enable and disable any account.
    • Create new accounts.
    • Modify privileges of any account.
    • Listing accounts and their information.
  • After the escalation of the privileges, an attacker will be able to:
    • Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
    • Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
    • Disrupt and disconnect services such as monitoring cameras, access controls.
    • Clone and duplicate access control data for further attack scenarios.
    • Perform CVE-2024-56902 attack to retrieve cleartext password that can be reused in other digital assets of the organization.

CVE-2024-56898 PoC [Testing GeoVision v6.1.0.0]

Operators:

Listing accounts before we start the attack

In the list of operators there are the Administrator account and Guest account enabled by default [Username: Guest; Password: <blank>], and there are no low-privilege users added.

Creating a new account with Guest account:

Guest account has permission only to change his/her account password and theme

As it is visible in the screenshot above, a Guest account has no privilege to manage accounts or anything in ASWeb, only changing his/her account password, theme switch, and logout.

Adding a new low-privilege account "JustUser" with unauthorized Guest account

Despite the unsuccessful response, the JustUser account is still created by Guest account, visible in the screenshot below.

Administrator's view: JustUser has been added by unauthorized Guest account

From the Administrator's view we see that the JustUser account has been created by unauthorized Guest account. As it is visible, JustUser account still doesn't have write and execute privileges, but we can escalate privileges to Administrator, shown in the next screenshot.

Escalating privileges for JustUser account to Administrator by using Guest account:

Escalating JustUser's privilege with unauthorized Guest account

In the screenshot below, we escalated privileges for JustUser from low-privilege to the Administrator by using Guest account. The escalation was done with manipulating level from 1 [Users] to 2 [Supervisor/Administrator].

JustUser account got administrative permission

From the Administrator's view we see that the JustUser account's privilege has been escalated by unauthorized Guest account. And now the administrator isn't able to make modification in the privileges of JustUser account anymore.

Note: Here we demonstrated the steps of creating account and escalating privileges separately, while it is possible to do it together with just one request.

Full access in the web application.

As JustUser account has Administrator privilege, now the attacker has full access in the AS Manager (Including ASWeb, TAWeb, VMWeb, ASManager software in OS)

JustUser is an administrator in ASWeb

JustUser is an administrator in TAWeb

JustUser is an administrator in VMWeb

JustUser is an administrator in ASManager software in OS

ASWeb	- Access & Security Management 
TAWeb	- Time and Attendance Management 
VMWeb	- Visitor Management 
ASManager - Access & Security Management software in OS

Finally, we can remove the legit Administrator account:

Removing legit administrator account

The legit administrator account has been deleted

The vendor of the product GeoVision is informed and they already released the newest fixed version 6.1.2.0 (as of January 2025)

INFO: While the version 6.1.1.0 is also fixed to the above described vulnerability, it is still vulnerable to another attack - Cross-Site Request Forgery [Described here: LINK].

Download the latest version from here

Contact

If you have a question, you can contact me, Giorgi Dograshvili on LinkedIn.

About

CVE-2024-56898 - Broken access control vulnerability in GeoVision GV-ASManager web application with version v6.1.0.0 or less. This vulnerability allows low privilege users perform actions that they aren't authorized to, which can be leveraged to escalate privileges, create, modify or delete accounts.

www.cve.org/CVERecord?id=CVE-2024-56898

Topics

control access broken bac escalation privilege geovision asmanager asweb cve-2024-56898

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Contributors