The Bio star 2 web application contains multiple operator levels, each with different privileges. The “Administrator” level has full permissions, while the “User Operator” level does not have all privileges. However, I have discovered a vulnerability that allows an attacker to escalate their privilege from “User Operator” to “System Administrator.” Exploiting this vulnerability requires the attacker to be authenticated and logged in as a “User Operator” on the target website.
Steps to Reproduce:
- Log in to the Bio star 2 dashboard using a “User Operator” account.
- Select two users and click on “Batch edit.” .
3. In the batch edit form, click on “Operator level” and select a user.
4. After clicking the “OK” button, a confirmation box will appear.
5. Examine the original PUT request made during batch user editing.
6. Using a proxy interceptor, modify the following information.
The operator user now escalated his Privilege to become a system administrator.
Solution – Fix & Patch:
Suprema recommend using the latest version of Bio star 2, at the time of publishing the blog | 2022 Q4, v2.9.1.