Privilege Escalation in Bio star 2 Exploitable through Batch Edit Option


Vulnerability Description:

The Bio star 2 web application contains multiple operator levels, each with different privileges. The “Administrator” level has full permissions, while the “User Operator” level does not have all privileges. However, I have discovered a vulnerability that allows an attacker to escalate their privilege from “User Operator” to “System Administrator.” Exploiting this vulnerability requires the attacker to be authenticated and logged in as a “User Operator” on the target website.

Steps to Reproduce:

  1. Log in to the Bio star 2 dashboard using a “User Operator” account.
  2. Select two users and click on “Batch edit.” .

3. In the batch edit form, click on “Operator level” and select a user.

4. After clicking the “OK” button, a confirmation box will appear.

5. Examine the original PUT request made during batch user editing.

6. Using a proxy interceptor, modify the following information.

The operator user now escalated his Privilege to become a system administrator.

Solution – Fix & Patch:

Suprema recommend using the latest version of Bio star 2, at the time of publishing the blog | 2022 Q4, v2.9.1.