NCR Atleos Terminal Manager Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in NCR Atleos Terminal Manager (ConfigApp) version 3.4.0. This issue allows normal authenticated users to gain administrator privileges by manipulating the 'userId' parameter in a redirect URL. Once escalated, the user can access full administrative functions, make unauthorized changes using admin capabilities, and their actions will be logged as if performed by the administrator.

Impact

Exploitation of this vulnerability allows a normal user to gain full administrative rights, misuse admin functions, and disrupt the accuracy of activity logs by attributing unauthorized actions to the admin account.

Reproduction

To reproduce this vulnerability, log into ConfigApp v3.4.0 as a normal user. Navigate to the Terminal Manager page, where limited functionalities are available. Intercept the request that redirects to system functions, which will include the 'userId' parameter. Modify this parameter to replace the normal user ID with that of an admin user and forward the request. After the modification, the admin functionalities will be accessible, and the admin's bearer token will be issued, confirming the privilege escalation. Any actions taken will be recorded in the activity logs as if they were performed by the administrator.