Skip to main content

Critical Privilege Escalation Vulnerability in Teleport ($21,000)

Teleport | Report #2281075 | HackerOne Link to YouTube Video
#2281075
access list owner can escalate his role to the highest roles
Add Hacker summary
Timeline · export
moaz219
submitted a report to Teleport.
December 11, 2023, 6:28pm UTC

Summary:

  1. Go to [your-domain.teleport.sh/web/accesslists].
  2. Create a new access list and add a role to "Roles Granted," e.g., "reviewer" role.
  3. Add a user as the Access List Owner.
  4. The user, as the Access List Owner, can escalate the role of the list to higher roles, thereby escalating their own account's role.
This is a prohibited procedure, as stated here, that Owners are not able to control what roles and traits are granted by the Access List.

Steps To Reproduce:

From Organization Owner Account:

  1. Go to [your-domain.teleport.sh/web/accesslists].
  2. Create a new access list.
  3. Add a user as List Owner.
  4. Add a role to "Roles Granted," e.g., "reviewer" role.

From Access List Owner Account:

  1. Add a new member to the access list and intercept the request.
  2. Add "editor" role on "grants roles."
  3. The "editor" role will be added to "Permissions Granted."
  4. Logout and relogin.
  5. Now, the user has the "editor" role and can perform any action on the organization.

Impact

  • Unauthorized Access: Potential for unauthorized access to sensitive information.
  • Security Breach: Risk of compromising the overall security of the system.
  • Privilege Escalation: Violation of the principle of least privilege.
  • Violation of Access Control Policies: Contradiction with Teleport's documentation and policies.
  • Risk of Insider Threats: Potential exploitation by malicious insiders.
POC Video
 updated the severity from critical to
medium (6.1)
December 11, 2023, 11:09pm UTC
 updated the severity from
medium (6.1)
 to
critical (9.0)
December 11, 2023, 11:41pm UTC
Mike Jensen
 changed the status to Triaged
December 11, 2023, 11:59pm UTC
Thank you for the report @moaz219. I was able to reproduce this and agree with you that is a concerning privilege escalation in our new Access List functionality. I will let you know as soon as I have an update on this fix.
Teleport
 rewarded moaz219 with a $20,000 bounty
December 12, 2023, 9:33pm UTC
Thank you again for this and your other recent reports @moaz219!
Moaz adel
 posted a comment
Updated December 13, 2023, 4:57am UTC
Thank you so much for the reward! I'm glad I could assist. if you have further feedback, please let me know.
Also, I would like to express that, based on the information provided in your policy's bonus section, I believe I am eligible for a bonus. It states that submitting a valid privilege escalation report is rewarded with a $1,000 bonus.
Thank you again !
Moaz adel
 posted a comment
December 20, 2023, 3:41am UTC
@jent-teleport Hello sir,
Am I eligible for a $1,000 bonus reward ?
And Thanks.
Teleport
 rewarded moaz219 with a $1,000 bounty
December 20, 2023, 7:10pm UTC
@moaz219 Yes, I can confirm this report is eligible for the privilege escalation bonus. Thank you for asking!
Mike Jensen
 changed the status to Retesting
Updated December 20, 2023, 7:23pm UTC
@moaz219 This issue has been fixed for our cloud customers. Using your teleport.sh tenant you should now be able to verify this fix.
This issue will be communicated privately to customers today, but remains under embargo for public disclosure. I will request disclosure on HackerOne when we are ready to publicly disclose this issue.
If it helps as part of your retesting (or other testing), we found several additional cases that were addressed with this fix:
  • Owners could add themselves to access lists, although list permissions were still respected this individual access expansion was not expected
  • The added_by username and joined date field could be specified with arbitrary values
  • There was an additional privilege escalation case during the review process that was addressed
Let me know if you have any questions, or there is anything I can do to help. Thank you!
Moaz adel
 completed a retest
December 21, 2023, 5:32pm UTC

Retest finding result

  • Are you able to reproduce the vulnerability report?

    No, the fix works.

  • Please provide a short summary with the results of your retest

    the fix works .
Moaz adel
 posted a comment
December 21, 2023, 5:35pm UTC
Can we resolve this report ?
Teleport
 awarded $50 to moaz219 for completing the retest
December 21, 2023, 10:47pm UTC
 closed the report and changed the status to Resolved
December 21, 2023, 10:47pm UTC
Mike Jensen
 posted a comment
December 21, 2023, 10:50pm UTC
Thank you for the additional validation @moaz219, resolved now. I will reach out and request disclosure after we publicly disclose this issue. Thank you!
Mike Jensen
 requested to disclose this report
December 29, 2023, 6:05pm UTC
@moaz219 Let me know if you have a GitHub handle you want us to list under the Credits for the GitHub Advisory on this issue. Thank you again for the help!
Moaz adel
 posted a comment
Updated December 29, 2023, 6:17pm UTC
Sure, you can list my GitHub handle as [Moaz219] for the Credits in the GitHub Advisory. Thank you!
Mike Jensen
 posted a comment
December 29, 2023, 8:37pm UTC
@moaz219 We have disclosed the vulnerability on GitHub here: https://github.com/gravitational/teleport/security/advisories/GHSA-76cc-p55w-63g3
Feel free to accept our disclosure request here on HackerOne when you get a chance. Thank you again for the help!
 agreed to disclose this report
December 29, 2023, 9:08pm UTC
 This report has been disclosed
December 29, 2023, 9:08pm UTC
moaz219
Request Mediation
Write
Preview
Parsed with Markdown
Record a demo

Comments

Post a Comment

Popular posts from this blog

Facebook vulnerability allows an attacker to prevent any user from blocking them

Vulnerability Report - Facebook Events / Block Bypass Hello, Today, I'm sharing a vulnerability I discovered in Meta's bug bounty program. This vulnerability allows an attacker to prevent any Facebook user from blocking them. Description of Vulnerability: 1. On Facebook Events you can go to: https://www.facebook.com/events/create/ and create a recurring event — which is simply a single event that repeats at different time intervals. 2. If you create a recurring event and then delete that recurring event, any Facebook user who tries to block you on Facebook will encounter an error message that prevents them from doing so. Exploitation Scenario: 1. The attacker wants to prevent any Facebook user from blocking them permanently. 2. The attacker goes to: https://www.facebook.com/events/create/ , clicks “Repeat event”, sets it to repeat twice, then clicks “Create event”. 3. The attacker deletes this recurring even...
Post a Comment
Read more

Facebook Anonymous Post Owner Disclosure

Vulnerability Report - Meta Bug Bounty Program Hello, Today, I'm sharing a vulnerability I discovered in Meta's bug bounty program. This vulnerability allows an attacker to disclose the author of anonymous posts or comments in Facebook Groups. Description of Vulnerability: In Facebook groups, you can write an anonymous post or comment, and therefore no one should know your identity except the group admins. If you make an anonymous post or comment, and then someone blocks you and writes a comment on your post or comment, and you reply to them anonymously, their mention in your reply will appear as plain text instead of the normal blue clickable link. Exploitation Scenario: The victim publishes an anonymous post or comment inside a Facebook group. The attacker suspects that a specific group member is the owner of this anonymous post or comment. The attacker blocks the suspected member and then writes a comment on...
Post a Comment
Read more