Improper Privilege Management API V2 in polonel/trudesk

Valid

Reported on

May 12th 2022


Description

There are some api v2 doesn't check permission allow attackers to retrieve/edit information ticket,account,group,department,team,ElasticSearch

Proof of Concept

Get users list

1. Login.
2. Go to `/api/v2/accounts?type=all`.
3. Users list return.

alt text

Create user with admin role

1.  Get the admin role id in `/api/v2/accounts`.
2.  Send POST to `/api/v2/accounts`.
{"username":"test21233","fullname":"test21233","title":"test2","email":"test2@test31232.cv","teams":["627ce1fd9f59377095600ce9"],"role":"627ce1fd9f59377095600ce1","password":"test2test2","passwordConfirm":"test2test2"}
  1. Create successfully. alt text

Note

Many api endpoint get vulnerable, i just show piece of attack vector that can happen.

Impact

The attacker takes full control of the website.

Occurrences

Routes without isAdmin are vulnerable

We are processing your report and will contact the polonel/trudesk team within 24 hours. a month ago
tienpa99 modified the report
a month ago
We have contacted a member of the polonel/trudesk team and are waiting to hear back a month ago
polonel/trudesk maintainer has acknowledged this report a month ago
tienpa99
a month ago

Researcher


Hi, I see you have read the report. Is it hard to understand or the poc doesn't working?

Chris Brame
a month ago

Maintainer


Can you confirm if this was performed with an admin logged in? As in you were logged in as an admin when you returned the user list and sent the post request.

I understand changing the role id of the post created an admin, but if you were logged in as an admin this is by design.

The token/apikey sent during the post was of which user/role?

tienpa99
a month ago

Researcher


I apologize for the complicated description. Some APIV2 doesn't check permission allow. So an authenticated users can use it (with user role or just login permission).
Chain with my another report, Attacker can get inside dashboard and takes full control of the website

https://huntr.dev/bounties/64abc487-cab4-4fe3-bb43-db1ffdea3468/

Video POC

https://drive.google.com/file/d/1dkfkZ3JEhCGa2aD14i2ubn-h0wqeRwdJ/view?usp=sharing
Chris Brame assigned a CVE to this report a month ago
Chris Brame validated this vulnerability a month ago
tienpa99 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chris Brame
a month ago

Maintainer


This is valid and I have identified the issue. Please allow me some time before a fix is finished, as I want to double-check nothing else breaks as I implement these changes.

Chris Brame confirmed that a fix has been merged on 889876 a month ago
Chris Brame has been awarded the fix bounty
routes.js#L15-L74 has been validated
tienpa99
a month ago

Researcher


Confirm the bug has been fixed.

tienpa99
a month ago

Researcher


Hi @admin, can you publish this cve?

Jamie Slome
a month ago

Admin


It will publish automatically 👍

to join this conversation