Unprivileged User with Read/Write permission to `User Access` can escalate their role to ADMIN — Privilege Escalation

Hello, I wanted to share with you the “Privilege Escalation” vulnerability that I found in a private program on HackerOne.

  • Summary:

Only a team member with membership read/write permissions can make himself admin.

  • Description:

While browsing the panel features, I discovered that there is a team building feature. Like everyone else, my first thought was to make a user with limited privileges admin. To try this out, I first created a role that only allowed read/write to user data. I invited the second e-mail address to my team with this role I created.

After logging into the system with my second account, all I could edit was my own role and name. When I inspected the role edit request, I saw a parameter named roleId= in the body of the POST request. It was in UUID format.

Role edit request

Except for the admin role, there was permission to switch from my own role to lower roles. Because each different role created was custom created, they all had a different UUID value, but no UUID for the basic admin role. I guess it didn’t have the UUID value as it was already a role that existed when you created the account.

When I realized that there was no UUID value for the admin role, I tried to continue the request by typing ADMIN in the roleId= parameter.

I changed the roleId to ADMIN

I continued the request and when I refreshed the page, I was now an Admin, I could access all the panel content and could delete other admin accounts.

Thanks for reviewed my first Medium post, happy hunting!

Twitter: @ertugrulphp