Creating a new user with admin Privilege


Product & Service Introduction:

BioStar 2 is a web-based, open, and integrated security platform that provides comprehensive functionality for access control, time & attendance management, visitor management, and video log maintenance. It encrypts all personal data available and supports both SDKs and web APIs to integrate BioStar 2 with third-party software. In addition, users can control BioStar 2 platform remotely with the mobile app for BioStar 2 and manage a mobile access card that they can use to access sites.

Technical Description:

On Bio star 2 web application there are 7 different Operator levels, each rule has a different privilege where the “Administrator” has full permission to do everything on the web application while the “User Operator” has limited privileges. But due to missing server-side validation, I identified a way to create a highly privileged user. An attacker should be authenticated to the target website and logged in as a “User Operator” to exploit this vulnerability.

The security risk of the vulnerability is High with a CVSS (common vulnerability scoring system) count of 8.8

Successful exploitation of the vulnerability results in gaining admin privilege giving the attacker the ability to control the entire system such as

  • Delete, Modify and add any user
  • Delete, Modify and add any door
  • Access to all user’s information from the Active directory if the system was integrated with the AD and much more.

Proof of Concept (POC):

  • From the dashboard click on “Add user”
System dashboard
  • Noticed the user’s level “User Operator” can’t create admin account
Operator level
Original PUT request when adding new user
  • Using a proxy interceptor modify the value of the “id” parameter from 255 to 1 to change the user rule
Modified PUT request, the value has been changed from 255 to 1
  • Login to the new account
New admin account has been created on Bio star 2

Exploit using python:

Python script, that takes user token to generate a new admin account, by sending a PUT request.
Running the script.

Solution – Fix & Patch:

Suprema recommend using the latest version of Bio star 2, at the time of publishing the blog | 2022 Q4, v2.9.1.