Submitted by ehu on Mon, 01/29/2024 - 12:51

Privilege escalation through CSRF attack on 'setup.pl'

Summary

When a LedgerSMB database administrator has an active session in /setup.pl,
an attacker can trick the admin into clicking on a link which automatically
submits a request to setup.pl without the admin's consent. This request can
be used to create a new user account with full application (/login.pl)
privileges, leading to privilege escalation.

Known vulnerable

All of:

- 1.3.0 up to 1.3.47 (including)
- 1.4.0 up to 1.4.42 (including)
- 1.5.0 up to 1.5.30 (including)
- 1.6.0 up to 1.6.33 (including)
- 1.7.0 up to 1.7.32 (including)
- 1.8.0 up to 1.8.31 (including)
- 1.9.0 up to 1.9.30 (including)
- 1.10.0 up to 1.10.29 (including)
- 1.11.0 up to 1.11.8 (including)

Known fixed

- 1.10.30
- 1.11.9

Details

CSRF is an attack that tricks the victim into submitting a malicious request. It
inherits the identity and privileges of the victim to perform an undesired function
on the victim’s behalf [^1].

To successfully perform the attack, an attacker needs to know the name of the database
for which they want to create a user. That is: in case LedgerSMB is used to maintain
multiple company administrations, multiple attacks need to be performed to gain access
to all of them. A single attack will gain access to a single company only, however, if
companies share users, the attacker can use those to gain access to the other companies
with the rights of the affected user accounts.

In this specific attack, the victim must be an administrator of /setup.pl with an
active session. It should be noted that the resulting user does *not* have full
access to /setup.pl, but *does* have full access to /login.pl for a single company.
This means that the resulting user can therefore *not* be used to create database backups,
however the attack itself can be used by the attacker to perform any action supported
by setup.pl.

[^1]: https://owasp.org/www-community/attacks/csrf

Severity

CVSSv3.1 Base Score: 7.5 (HIGH)

CVSSv3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSSv3.1 Base Score & Vector (with temporal score): 6.7 (MEDIUM)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C&version=3.1

Recommendations

We recommend all users to upgrade to known-fixed versions. Versions
prior to 1.10 are end-of-life and will not receive security fixes from
the LedgerSMB project.

Users who cannot upgrade, may apply the included patches or are advised
to contact a vendor for custom support.

As a workaround, installations may choose not to expose and use /setup.pl,
instead using the command line application "ledgersmb-admin" to perform
administrative tasks. Password resets can be performed with regular
/login.pl functionality or through PostgreSQL's "psql" command line tool.