Privilege escalation from maintainer to owner by importing members from a project
HackerOne report #1934811 by theluci
on 2023-04-05, assigned to @greg:
Report | Attachments | How To Reproduce
Report
Hello, this bug is similar to #1576230.
The fix to #356975 (closed) can be bypassed if a maintainer import members from a project.
Summary
A maintainer of a project can upgrade or downgrade a members role or invite new members to the project.
However, to protect against privilege escalation from maintainer to owner. Gitlab doesn't allow the maintainer to invite new members with the owner role.
Neither does it allow to upgrade a members role to owner.
The check is also implemented in the api, so that a maintainer cannot escalate privileges by changing "access_level":50
However, the check is not implemented when importing members from a project and a malicious maintainer can invite his another account as the owner of a project.
Steps to reproduce
victim
is the owner of project victim-project
attacker1
is the maintainer of victim-project
-
attacker1
creates a projectattacker-project
and invite his another accountattacker2
as the owner. -
attacker1
goes tovictim-project
membership page.
https://gitlab.com/<victim-group>/<victim-project>/-/project_members
-
attacker1
clicks on Import from a project -
attacker1
selectsattacker-project
attacker2
is now the owner of the victim-project
(Optional)
5. attacker2
can now upgrade attacker1
as the owner and remove attacker2
account if he wishes.
POC
Impact
A malicious maintainer can escalate his privileges to that of an owner.
He gains access to owner functions such as -
- Delete project
- Archive project
- Transfer project to another namespace
- Delete merge requests etc.
Output of checks
This bug happens on GitLab.com (Probably on instance too)
Impact
A malicious maintainer can escalate his privileges to that of an owner.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: