Skip to content

Privilege escalation from maintainer to owner by importing members from a project

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1934811 by theluci on 2023-04-05, assigned to @greg:

Report | Attachments | How To Reproduce

Report

Hello, this bug is similar to #1576230.
The fix to #356975 (closed) can be bypassed if a maintainer import members from a project.

Summary

A maintainer of a project can upgrade or downgrade a members role or invite new members to the project.
However, to protect against privilege escalation from maintainer to owner. Gitlab doesn't allow the maintainer to invite new members with the owner role.

m1.png

Neither does it allow to upgrade a members role to owner.

m2.png

The check is also implemented in the api, so that a maintainer cannot escalate privileges by changing "access_level":50
However, the check is not implemented when importing members from a project and a malicious maintainer can invite his another account as the owner of a project.

Steps to reproduce

victim is the owner of project victim-project
attacker1 is the maintainer of victim-project

  1. attacker1 creates a project attacker-project and invite his another account attacker2 as the owner.
  2. attacker1 goes to victim-project membership page.

https://gitlab.com/<victim-group>/<victim-project>/-/project_members

  1. attacker1 clicks on Import from a project
  2. attacker1 selects attacker-project

attacker2 is now the owner of the victim-project

(Optional)
5. attacker2 can now upgrade attacker1 as the owner and remove attacker2 account if he wishes.

POC

Import_from_a_project.mp4

Impact

A malicious maintainer can escalate his privileges to that of an owner.
He gains access to owner functions such as -

  1. Delete project
  2. Archive project
  3. Transfer project to another namespace
  4. Delete merge requests etc.

Output of checks

This bug happens on GitLab.com (Probably on instance too)

Impact

A malicious maintainer can escalate his privileges to that of an owner.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: