Skip to content

Latest commit

 

History

History
58 lines (44 loc) · 3.52 KB

CVE-2020-14945 - Privilege Escalation.md

File metadata and controls

58 lines (44 loc) · 3.52 KB

I. VULNERABILITY

Privilege Escalation - BSA Radar (Authenticated)

II. BACKGROUND

BSA Radar is a banking application provided by GLOBAL Radar which is implemented within corporate environments to perform SWIFT transactions, approve and review transactions, manage documents, manage users and roles and other features.

III. DESCRIPTION

A privilege escalation vulnerability exists within Global RADAR BSA Radar 1.6.7234.X that allows an authenticated, low-privileged user to escalate their privileges to administrator rights (i.e. the "BankAdmin" role) via a forged request to the SaveUser API.

IV. History

The vulnerability was originally disclosed to the vendor on November 4, 2019.
The CVE was originally submitted on June 19, 2020.
CVE assigned: CVE-2020-14945

V. PROOF OF CONCEPT

The privilege escalation is achieved by saving the response of the GetUser request (from clicking the username in the top right). When this profile is saved it will send a request to the SaveUserProfile endpoint. This response can be saved and modified (while updating it as needed to escalate privileges to BankAdmin role) then sent to the SaveUser endpoint which is the endpoint used for admins to update privileges of any user. After successful privilege escalation, a user can then access the Administration features and modify the application or accounts, cause further damage to the application and users, or exfiltrate application data.

HTTP Request PoC:

POST /WS/AjaxWS.asmx/SaveUser

{"user":
{"UserID":<CURRENT USER ID>,"Username":"...","Firstname":"...","Lastname":"...","Email":"...","BranchID":"...","Role":"BANKADMIN","WireLimit":"XXXXXXX","BankID":"...","Permissions":["XXXXXXXXXXXXXXX"], <REMAINDER OF REQUEST HERE> } }

The Role, WireLimit and Permissions parameters can be forged to forcefully change your current user permissions to elevate them to a higher role such as BankAdmin with full account modification permissions. 

VI. BUSINESS IMPACT

Privilege escalation of the current user privileges can be accomplished by exploitation of this vulnerability. This can result in full application compromise, deletion of other users or admins, creation of new users to create and approve new wire transfers, etc.

VII. SYSTEMS AFFECTED

BBSA Radar - Version 1.6.7234.24750 and lower.

VIII. SOLUTION

Access controls should be reviewed and implemented on user-related functions which will validate and authorize or deny user requests for application functionalities based on their current user privileges and roles. This should prevent users from modifying user account features such as current user roles and privileges who aren't Admin users.

Additionally, these vulnerable/exposed parameters can be removed from the request of low-privileged users if it is not required for their user functionality.

IX. REFERENCES

Mitre CVE-2020-14945
Exploit-DB CVE-2020-14945 - Authenticated Privilege Escalation

X. CREDITS

This vulnerability has been discovered and reported by William Summerhill.

XI. DISCLOSURE TIMELINE

The vulnerability was originally disclosed to the vendor on November 4, 2019 and acknowledged shortly after. The vulnerability was then patched and verified on April 26, 2020.