Crabbox Privilege Escalation Vulnerability Allowing Unauthorized Access to Agent Tickets

A privilege escalation vulnerability has been identified in Crabbox versions prior to 0.12.0. This vulnerability allows users with shared visibility-only access to obtain Code, WebVNC, and Egress agent tickets. Exploitation involves sending POST requests to specific ticket endpoints, where insufficient access control checks allow the unauthorized acquisition of bridge-agent tickets. This enables impersonation of trusted lease-side bridges, despite the attacker only having visibility permissions.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling users to access agent tickets and impersonate trusted entities within the application.

Reproduction

To reproduce this vulnerability, a user with shared visibility-only access can send POST requests to the /v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, and /v1/leases/:id/egress/ticket endpoints. The absence of proper access control checks on these endpoints allows the user to obtain bridge-agent tickets, which can be used to impersonate trusted lease-side bridges.

Remediation

Users are advised to update to Crabbox version 0.12.0 or later, where this vulnerability has been addressed.