CVE-2023-34672

Description

Improper access control leads to privilege escalation and creating high-privilege users

Discoverer: Eslam Kamal (Strik3r)

Vendor of Product: Elenos

Affected Product: ETG150 FM transmitter - 3.12

Introduction

Access control (or authorization) is the application of constraints on who (or what) can perform attempted actions or access resources that they have requested. Broken access controls are a commonly encountered and often critical security vulnerability. Design and management of access controls is a complex and dynamic problem that applies business, organizational, and legal constraints to technical implementation. Access control design decisions have to be made by humans, not technology, and the potential for errors is high.

Details

During our web application analysis, we were analyzing the admin functionalities, restrictions, and boundaries in order to map the attack vectors that malicious attackers can do and execute on the IoT device. We noticed that the admin user can add and edit other users, but when it comes to privileges, it can only add two privileges:

• user

• manager

You can notice this by taking a look at the image below:

Both "user" and "manager" have privileges lower than the admin privilege; according to the application logic, this means that the admin should only add roles that are lower than its privilege, but here we were able to manipulate the logic of the application in order to add high-privilege admin from the same admin account. This can be manipulated by changing the role parameters value to "admin."

As highlighted in the image below, the ordinary request can contain one of the two mentioned privileges and in this case, it was "user":

Now, we are going to manipulate that and switch it to "admin" as shown: