Strik3r Blog
  • $ whoami
  • Security Research
    • CVEs POCs
      • CVE-2023-37831
      • CVE-2023-37832
      • CVE-2023-37833
      • CVE-2023-37835
      • CVE-2023-39695
      • CVE-2023-36082
      • CVE-2023-36081
      • CVE-2023-34673
      • CVE-2023-34672
      • CVE-2023-34671
      • CVE-2022-44354
      • CVE-2022-44355
      • CVE-2022-44356
      • CVE-2022-48164
      • CVE-2022-48165
      • CVE-2022-48166
      • CVE-2022-44357
    • How To Pass Your eJPT Exam
    • Hacking IoT Introduction
    • Hacking wireless by monitoring
    • The Art of Camouflage: Exploring Advanced PHP Backdoor Obfuscation Techniques
    • Beyond the Desktop: Exploiting a Leaked Token for API
  • Hack The Box
    • Paper
  • CyberTalents Challenges
    • Web Chanllenges
      • Private Agent
    • Intro to Cybersecurity Bootcamp CTF Assessment
  • Bug Bounty
    • Easy LFI
    • HTTP PUT Method Exploit
Powered by GitBook
On this page
  • Description
  • Introduction
  • Details:

Was this helpful?

  1. Security Research
  2. CVEs POCs

CVE-2023-34671

PreviousCVE-2023-34672NextCVE-2022-44354

Last updated 1 year ago

Was this helpful?

Description

Improper access control leads to privilege escalation

Discoverer: Eslam Kamal (Strik3r)

Vendor of Product: Elenos

Affected Product: ETG150 FM transmitter - 3.12

Introduction

Access control (or authorization) is the application of constraints on who (or what) can perform attempted actions or access resources that they have requested. Broken access controls are a commonly encountered and often critical security vulnerability. Design and management of access controls is a complex and dynamic problem that applies business, organizational, and legal constraints to technical implementation. Access control design decisions have to be made by humans, not technology, and the potential for errors is high.

Details:

I was able to find an Improper Access Control vulnerability (IDOR) that allows me to gain higher privileges and perform some actions not authorized to do. The Elenos user profile section contained this vulnerability. If you log in as any low-privilege user the only settings that a regular user will see when they click the settings button will be as follows:

When you click the user profile button, you'll see that the user role is faded and cannot be changed:

Now fill out the form. Enter any password and save it. Then intercept this request with any proxy tool like BurpSuit, and you'll notice that the "user role" is missing

If we added this parameter [user[role]=admin] to the request body as shown below:

You should see an error message saying Access Denied, But our request with the "admin" value already reached the back-end system, and we can login with the same user again. After logging in, you can see that the user now has admin privilege and can see and edit a lot of configurations that he is not supposed to have access to.