CashDro 3 Web Administration Panel Authorization Vulnerability Privilege Escalation

A vulnerability in the CashDro 3 web administration panel, version 24.01.00.26, allows for unauthorized privilege escalation. The backend fails to enforce proper authorization, relying solely on frontend controls. By manipulating the 'Permissions' field in the JSON response, an attacker can gain full administrative access, bypassing all restrictions and compromising system management. This issue was discovered during a penetration test at a Spanish leisure center, where the CashDro smart cash management drawer was found to be connected to an internal network accessible via a public-facing port.

Impact

Exploitation of this vulnerability leads to unauthorized administrative access on the CashDro 3 web administration panel, allowing the attacker to bypass all restrictions and gain full control over the system management functions.

Reproduction

The vulnerability can be reproduced by logging into the CashDro 3 web administration panel with a standard user account that is not an admin. Once logged in, the response from the server includes a 'Permissions' field that can be modified. Changing this field to grant additional privileges will unlock restricted options in the web application. This manipulation can be done through the application's API by sending a crafted request that includes the modified 'Permissions' data.

Remediation

Users are advised to update to CashDro 3 version 26.01.00.16, the currently supported version, which includes the necessary authorization controls. Previous versions have been removed from the distribution repository for security reasons.