OpenBMCS Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in OpenBMCS version 2.4. This issue allows a regular user to gain administrative rights by manipulating permissions through a malicious HTTP POST request. The vulnerability resides in the user administration plugin, specifically within the 'update_user_permissions.php' script.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling a user to gain admin rights and associated privileges.

Reproduction

To reproduce this vulnerability, a user must first send a POST request to 'getUserDetails.php' in the 'useradmin' plugin directory to retrieve their current permissions. After identifying a user ID with lower privileges, the 'update_user_permissions.php' script can be exploited by sending a POST request that includes elevated permissions for various modules, such as 'alarms', 'controllers', 'graphics', 'history', 'progtool', and 'useradmin'. This request effectively escalates the user's privileges. Once elevated, the user can create new admin accounts by sending a POST request to 'create_user.php' with the necessary user details and permissions, including admin rights for the 'useradmin' module.