Logic Bug: Easy Privilege Escalation

Overview of the Vulnerability:

A vulnerability was found in the [CompanyName] system that allows contributors to perform a “Sync to accounting software” action even though the system’s official documentation indicates that this function is not available to them according to their permissions. This vulnerability was discovered during an analysis of the permissions and functions available for each role in the system.

I searched for an extensive guide to the permissions of each type of user on the site and began to implement everything that is not allowed, through manipulation or even logic.

Ref:
1. [CompanyName] Roles & Permissions:
https://[*].[Redacted].com/hc/en-us/articles/Redacted-Redacted-Roles-Permissions

2. The different user roles in [CompanyName]:
https://[Redacted].zendesk.com/hc/en-us/articles/[Redacted]-The-different-user-roles-in-[Redacted]

3. From roles

More than 6 months ago, in the same program, I submitted more than 18 vulnerabilities, but unfortunately 9 of them were duplicates and 2 were acceptable.
But I started to change the way I found security vulnerabilities.

Me

Steps:

As Owner:

1. Login to your account and go to setting to add collaborators in organization for example “X” https://[*].[Redacted].com/[Redacted]/settings/collaborators
2. Send invite to user as Contributor

As Contributor:

1. Check your mailbox, and accept invitation to become a Contributor at “X”
2. Go to your settings https://[*].[Redacted].com/[Redacted]/settings/
3. If you notice, the permissions granted to you do not include “Sync and import”.
4. To get this permissions, just go to https://[*].[Redacted].com/[Redacted]/settings/accounting-software
5. Create account at Xero and return to https://[*].[Redacted].com/[Redacted]/settings/accounting-software
   and connect.
6. Sync is done.
   if Owner check the Sync and import, It will appear to him that someone has linked the organization to Xero

Impact:
This vulnerability poses a threat to data security and privileges of higher roles in the system. The ability to implement “Sync to accounting software” can lead to leakage of financial data and unauthorized control of it by users who do not have sufficient powers.

Me Now

I discovered this vulnerability one day, then the next day I prepared a report on it, and when I submitted it, I was shocked because it had been reported by someone else only an hour and a half before the time I submitted it.

Here there is an important lesson to be learned: “Do not postpone today’s work until tomorrow”