Manager users are restricted from editing higher-privilege users (operators and administrators) in order to prevent privilege escalation paths. However, managers can add secondary emails on any user, including managers and operators. As EyeDP sends all notifications to all emails, including password reset emails, the manager user can add a secondary email under their control to an existing administrator account and, subsequently, initiate a password reset, and log-in to the target administrator account.
The flow of the attack is as follows:
An attacker, having role of manager, adds an email under their control through a POST request to /admin/users/<user_id>/emails
The attacker marks the newly added email as "confirmed" through a POST request to /admin/users/<user_id>/emails/<email_id>/confirm
The attacker initiates a password reset for the administrator account, and receive the password reset token to their newly added email. This happens because EyeDP sends all the notifications to all confirmed emails.
Using the endpoint /users/password/edit?reset_password_token= and the reset token received via email, the attacker resets the administrator's password and impersonate the victim
The same attack works also using the "resend welcome email" functionality that managers can invoke for all users, including administrators, instead of the password reset.
Impact
A manager can escalate privileges to operator or administrator. The impact is reduced by the fact that the attacker needs to have relatively high privileges (user management) and by the fact that the attack is extremely noisy, as it entails resetting the password of an administrator, triggering notifications to their primary email and locking them out of their account.
Patches
This issue is resolved in commit 0e2751. Users should upgrade to the latest commit on main or to a 1.0.0 or later release.
Workarounds
None
For more information
If you have any questions or comments about this advisory:
Manager users are restricted from editing higher-privilege users (operators and administrators) in order to prevent privilege escalation paths. However, managers can add secondary emails on any user, including managers and operators. As EyeDP sends all notifications to all emails, including password reset emails, the manager user can add a secondary email under their control to an existing administrator account and, subsequently, initiate a password reset, and log-in to the target administrator account.
The flow of the attack is as follows:
An attacker, having role of manager, adds an email under their control through a POST request to /admin/users/<user_id>/emails
The attacker marks the newly added email as "confirmed" through a POST request to /admin/users/<user_id>/emails/<email_id>/confirm
The attacker initiates a password reset for the administrator account, and receive the password reset token to their newly added email. This happens because EyeDP sends all the notifications to all confirmed emails.
Using the endpoint /users/password/edit?reset_password_token= and the reset token received via email, the attacker resets the administrator's password and impersonate the victim
The same attack works also using the "resend welcome email" functionality that managers can invoke for all users, including administrators, instead of the password reset.
Impact
A manager can escalate privileges to operator or administrator. The impact is reduced by the fact that the attacker needs to have relatively high privileges (user management) and by the fact that the attack is extremely noisy, as it entails resetting the password of an administrator, triggering notifications to their primary email and locking them out of their account.
Patches
This issue is resolved in commit 0e2751. Users should upgrade to the latest commit on main or to a 1.0.0 or later release.
Workarounds
None
For more information
If you have any questions or comments about this advisory: