APTRS Privilege Escalation Vulnerability in User Edit Endpoint

A privilege escalation vulnerability has been identified in APTRS (Automated Penetration Testing Reporting System) versions prior to 2.0.1. The issue arises in the edit_user endpoint, where users can manipulate the is_superuser field to elevate their own or others' accounts to superuser status. This vulnerability exists because the CustomUserSerializer allows is_superuser to be written but not read-only, and the edit_user view lacks validation to prevent unauthorized modifications. Exploiting this flaw grants unrestricted access to the application without requiring re-authentication.

Impact

Exploitation of this vulnerability allows an authenticated user with administrative privileges to escalate their rights to superuser, thereby gaining full control over the application. This includes the ability to manage all users, access restricted functionalities, and modify or delete superuser accounts, leading to a complete compromise of the system.

Reproduction

To reproduce this vulnerability, first log in to an APTRS instance as an admin user. Then, create a non-superuser account with 'Manage Users' permission. After that, use this account to send a POST request to the edit_user endpoint, including 'is_superuser': true' in the request body. This will escalate the account to superuser status, which can be verified by checking the user list for the updated account privileges.

Remediation

Users are advised to update to APTRS version 2.0.1 or later, and to add 'is_superuser' to the read_only_fields in the CustomUserSerializer. Additionally, an explicit check can be implemented in the edit_user view to prevent non-superusers from modifying the is_superuser status.