vatesfr / xen-orchestra

The global orchestration solution to manage and backup XCP-ng and XenServer.
https://xen-orchestra.com
Other
787 stars 267 forks source link

XEN Orchestra privilege escalation via websockets #5712

Open r3naissance opened 3 years ago

r3naissance commented 3 years ago

Context

Validated still vulnerable on version:

Expected behavior

Permissions enforcement through websockets is not thoroughly checked and can lead to an unprivileged 'user' to obtain data only accessible by 'admin'. VMs, Backups, Audit, Users, Groups, etc.

Current behavior

The websockets that control the application API are allowing access to certain elements based purely on the response (which can be manipulated). This would be similar to an ecommerce application taking the price of a shopping cart from the DOM (can be manipulated by the user) and starting the checkout process using this value).

In this POC, the method ‘resourceSet.getAll’ [Figure 1] responds with "permission":"none" [Figure 2]. If an attacker changes the value of ‘none’ to ‘admin’ [Figure 3], the API opens up with further data and UI points [Figure 4]. This change in permission level persists through other API calls until the resourceSet.getAll method calls for permissions again (which should respond with “none”) unless the attacker changes it back to admin. Interestingly, the API limits some methods, returning with ‘not enough permissions’ but shows the user has ‘admin’ permissions [Figure 5].

Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 test-no vms test-no-permissions test-user

julien-f commented 3 years ago

Hello,

Sorry for the delay.

From what I understand, it's not a new issue and it's not a privilege escalation per se: API users can see all objects regardless of their permissions, the filtering is only done by the UI at the moment, but they cannot do any actions on objects they don't have the right to.

This is something we are actively working on fixing for the next major iteration of XO (v6).

Please see #502 for more information.

julien-f commented 3 years ago

Just to be clear, this issue should only impacts XAPI objects (VMs, hosts, pools, etc).

Other info (users, groups, backup jobs, etc) should not be accessible.