CVE-2023-34671

Description

Improper access control leads to privilege escalation

Discoverer: Eslam Kamal (Strik3r)

Vendor of Product: Elenos

Affected Product: ETG150 FM transmitter - 3.12

Introduction

Access control (or authorization) is the application of constraints on who (or what) can perform attempted actions or access resources that they have requested. Broken access controls are a commonly encountered and often critical security vulnerability. Design and management of access controls is a complex and dynamic problem that applies business, organizational, and legal constraints to technical implementation. Access control design decisions have to be made by humans, not technology, and the potential for errors is high.

Details:

I was able to find an Improper Access Control vulnerability (IDOR) that allows me to gain higher privileges and perform some actions not authorized to do. The Elenos user profile section contained this vulnerability. If you log in as any low-privilege user the only settings that a regular user will see when they click the settings button will be as follows:

When you click the user profile button, you'll see that the user role is faded and cannot be changed:

Now fill out the form. Enter any password and save it. Then intercept this request with any proxy tool like BurpSuit, and you'll notice that the "user role" is missing

If we added this parameter [user[role]=admin] to the request body as shown below:

You should see an error message saying Access Denied, But our request with the "admin" value already reached the back-end system, and we can login with the same user again. After logging in, you can see that the user now has admin privilege and can see and edit a lot of configurations that he is not supposed to have access to.