From User to Admin: A Privilege Escalation via Business Logic
Hi, my name is Sirat and I am doing bug bounty on HackerOne platform, in today’s story I wanted to share A Business Logic vulnerability that allowed my to exploit a Privilege Escalation on the victim’s organization.
What is Privilege Escalation?
Before everything to understand this story you need to know what is Privilege Escalation.
Privilege Escalation is when an attacker gains higher access rights than they should have. It can be:
- Vertical Privilege Escalation — Gaining admin or higher-level access.
- Horizontal Privilege Escalation — Accessing another user’s data or actions at the same level.
In business logic flaws, this happens when improper checks allow users to manipulate workflows, bypass restrictions, or escalate permissions.
So in short, it allows attackers to gain access to something that they should not have access to it due to the attacker’s low Privilege.
The ignored parts…
The application allowed users to create organization and invite other users with different roles such as admin or regular member, I have already reported that I can invite other users with any emails that I do not own includes their own private and internal email alias, but due to the low impact they decided to close it as informative so I had to turn it in to a larger fruit.
There are something that you need to know and that was required for the vulnerability to be successfully explited.
First, the application allowed me to register with any email that I do not own, the email wasn’t verified from the backend but I could do almost everything while having the un-verified email on my account.
Second and the most important, after taking a closer look of how the invitation works when a user invites someone to its organization, I realized that its possible to accept an invite that actually sent attacker@mail.com as any other email such as anotheruser@mail.com while accepting the invite and registering on the application.
Those kind of functions are actually pretty sensitive, but as we know that accepting invites as any email or inviting users with any email is doesn’t make much impact which the triager’s loves, but those are could be very useful for any further vulnerabilities.
Crafting the exploit
After looking in to the application for very long, I wanted to find a privilege escalation bug in the application because it could be very serious thing, it could allow the attacker to have access to many restricted information and function, even taking over the entire organization.
Of course regular bugs was fixed since this program was been watched by many hackers, finding a bug in a such program feels like a puzzle that not everyone can solve, especially when you looking for a over-looked bug so I had to find something very unique that no one else have thought about.
I have thought that it could be possible for an organization admin to invite 2 different users with different roles at the same time, this is could be a key to open another door to Privilege Escalation bug even if the attack complexity will be so high.
So I scripted a very well scenario which is very logical to exploit a Privilege Escalation vulnerability, here is what I thought about:
1. as victim which is the organization admin I invite 2 different emails, john@mail.com with admin role and attacker@mail.com with member role which is a regular role and don’t have much permission as admin.
2. do you remember i said its possible to accept the invites as any email? now as attacker when i receive the invite from my email attacker@mail.com , I open the invite link and i will accept the invite as john@mail.com
3. as attacker after registering as john@mail.com now I have admin role in the victim’s admin, and I have successfully exploited the Privilege Escalation
As you may realized that as attacker we should have the email of the other invited user with admin role, in that case this is what makes the attack complexity high, and due to this the severity could not be higher than medium…
After that, I have reproduced the same script that I made in my head and everything was same as I expected and I was able to successfully exploit Privilege Escalation bug, while the attack complexity was high, but it mostly depends on the how the application works.
My suggest to finding such bugs is you need to know how to the application reacts and works, this is only way to find the your target’s weaknesses.
Hope you enjoyed the story, Don’t forget to follow me on X, https://x.com/siratsami71
