BioStar <\/a>2 is a web-based, open, and integrated security platform that provides comprehensive functionality for access control, time & attendance management, visitor management, and video log maintenance. It encrypts all personal data available and supports both SDKs and web APIs to integrate BioStar 2 with third-party software. In addition, users can control BioStar 2 platform remotely with the mobile app for BioStar 2 and manage a mobile access card that they can use to access sites.<\/p>\n\n\n\n<\/p>\n\n\n\n
Technical Description:<\/h3>\n\n\n\n On Bio star 2 web application there are 7 different Operator levels, each rule has a different Privilege where the \u201cAdministrator<\/u><\/strong>\u201d has the full permission to do everything on the web application while the \u201cUser Operator\u201d <\/u><\/strong> has limited privilege, but due to missing server-side validation, I identified a way to escalate my Privilege from User Operator to system Administrator the attacker should be authenticated to the target website and logged in as \u201cUser Operator\u201d to exploit this vulnerability<\/p>\n\n\n\n The security risk of the vulnerability is High with a CVSS (common vulnerability scoring system) count of 8.8 Successful exploitation of the vulnerability results in gaining admin privilege giving the attacker the ability to control the entire system such as <\/p>\n\n\n\n
\nDelete, Modify and add any user<\/li>\n\n\n\n Delete, Modify and add any door<\/li>\n\n\n\n Access to all user’s information from the Active directory if the system was integrated with the AD and much more.<\/li>\n<\/ul>\n\n\n\nProof of Concept (POC):<\/h3>\n\n\n\n\nLogin to the Web Application Using your \u201cUser Operator\u201d<\/u><\/strong><\/li>\n\n\n\nFrom the editing profile page intercept the request using burp suite then click on “User”<\/li>\n<\/ul>\n\n\n\n <\/figure>\n\n\n\n\nApply the changes, then change the parameter “id” value from 255 to “1”. Simply 1 stands for admin 255 for users’ permission.<\/li>\n<\/ul>\n\n\n\nUpdated PUT request, the value has been changed from 255 to 1.<\/em><\/figcaption><\/figure>\n\n\n\n\nAlmost done the privilege has been escalated from user operator to system administrator, logout then login again to the dashboard to see the changes.<\/li>\n<\/ul>\n\n\n\nAdmin User <\/figcaption><\/figure>\n\n\n\nExploit using python:<\/h3>\n\n\n\nPython script, that take 2 inputs from the user<\/em><\/figcaption><\/figure>\n\n\n\n–userid = the current user id on the system<\/em><\/p>\n\n\n\n–token the session token for the logged in user to send a PUT request then update the User Operator level.<\/em><\/p>\n\n\n\nRunning the script<\/em><\/figcaption><\/figure>\n\n\n\nSolution – Fix & Patch:<\/h3>\n\n\n\n Suprema recommend using the latest version of Bio star 2, at the time of publishing the blog | 2022 Q4, v2.9.1.<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
CVE 2022-38351 Product & Service Introduction: BioStar 2 is a web-based, open, and integrated security platform that provides comprehensive functionality for access control, time & attendance management, visitor management, and video log maintenance. It encrypts all personal data available and supports both SDKs and web APIs to integrate BioStar 2 with third-party software. In addition, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[9],"tags":[5],"yoast_head":"\n
Privilege escalation from user operator to System administrator -<\/title>\n \n \n \n \n \n \n \n \n \n \n \n \n \n\t \n\t \n\t \n