Mass Assignment in Self Controller Leads To Vertical Privillege Escalation in budibase/budibase

Valid

Reported on

Sep 10th 2022


Description

Hello there, y'all! How are you doing? Hope you are doing great!

I was testing Budibase and noticed that the api endpoint /api/global/self, which is used for different purposes (updating an user's name or their password), always receives an entire object containing most of the attributes of a user, including this user's roles. So by reading the code, I noticed that this "self update" process had a mass assignment, in which the only thing we cannot change is our own ID, but we can change our access level and become the admin of any tenant we belong to.

In other words, whenever an admin invites people to be app users, there's a risk that one of these app users change their role to admin and then make the original admin a simple app user, being now capable of doing anything they would want to, including destroy all of a tenant apps or change their content to something else.

Steps to Reproduce

1 => Create a user that will be the admin of a tenant, and then invite a second email to be an app user;

2 => Now, as the invited user (possible attacker), login and click on Update user information. This modal is supposed to change only a user's name, but if you use a proxy tool such as Burpsuite or OWASP Zap, you can intercept the request that's being sent;

3 => With the request being intercepted, change the attributes builder, admin and accountPortalAccess that are in the JSON object, to something like this:

{
...
    "builder": {
        "global":true
    },
    "admin": {
        "global":true
    },
...
    "accountPortalAccess":true,
...
}

4 => Boom! Now, if you log out and in, you will see the same dashboard that only editors and admins can see, and you can even go to the users page and change the role of the original admin to a lower one;

Impact

Whenever an admin invites people to be in their tenant, there's a risk that one of these app users change their own role to admin and then make the original admin a simple app user, being now capable of doing anything they would want to, including destroy all of a tenant apps or change their content to something else.

Occurrences

It's clear here that it picks up the entire request body and use it to update the user!

We are processing your report and will contact the budibase team within 24 hours. 21 days ago
Breno Vitório modified the report
21 days ago
We have contacted a member of the budibase team and are waiting to hear back 20 days ago
We have sent a follow up to the budibase team. We will try again in 7 days. 17 days ago
budibase/budibase maintainer gave praise 17 days ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
budibase/budibase maintainer validated this vulnerability 16 days ago
Breno Vitório has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
budibase/budibase maintainer confirmed that a fix has been merged on d35864 15 days ago
The fix bounty has been dropped
self.js#L138 has been validated
to join this conversation