Logic Bug: Easy Privilege Escalation
Overview of the Vulnerability:
A vulnerability was found in the [CompanyName] system that allows Accountant to perform a “Add and delete team members (collaborators)” action even though the system’s official documentation indicates that this function is not available to them according to their permissions. This vulnerability was discovered during an analysis of the permissions and functions available for each role in the system.
I searched for an extensive guide to the permissions of each type of user on the site and began to implement everything that is not allowed, through manipulation or even logic.
Ref:
1. [CompanyName] Roles & Permissions:
https://[*].[Redacted].com/hc/en-us/articles/Redacted-Redacted-Roles-Permissions
2. The different user roles in [CompanyName]:
https://[Redacted].zendesk.com/hc/en-us/articles/[Redacted]-The-different-user-roles-in-[Redacted]
3. From roles
More than 6 months ago, in the same program, I submitted more than 18 vulnerabilities, but unfortunately 9 of them were duplicates and 2 were acceptable.
But I started to change the way I found security vulnerabilities.
Steps:
As Owner:
- Login to your account and go to setting to add collaborators in organization for example “X” https://[*].[Redacted].com/[Redacted]/settings/collaborators
- Send invite to user as Accountant
- Send invite to user as Contributor
- Contributor (pending)
As Accountant:
- Check your mailbox, and accept invitation to become a Accountant at “X”
- Go to your settings https://[*].[Redacted].com/[Redacted]/settings/collaborators
- You have seen a user is pending invitation “Contributor”
- Remove account “Contributor”
- Remove is done.
Impact:
This vulnerability poses a threat to data security and privileges of higher roles in the system. The ability to implement “Add and delete team members (collaborators)” to leakage, manipulation of employee data and unauthorized control over it by users who do not have sufficient permissions, as well as a flagrant violation of the permissions policy.
