Privilege escalation from maintainer to owner by importing members from a project (#407830) · Issues · GitLab.org / GitLab

Privilege escalation from maintainer to owner by importing members from a project

:warning: **Please read [the process](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/developer.md) on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.** **[HackerOne report #1934811](https://hackerone.com/reports/1934811)** by `theluci` on 2023-04-05, assigned to @greg: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report Hello, this bug is similar to #1576230. The fix to https://gitlab.com/gitlab-org/gitlab/-/issues/356975 can be bypassed if a maintainer import members from a project. #### Summary A maintainer of a project can upgrade or downgrade a members role or invite new members to the project. However, to protect against privilege escalation from maintainer to owner. Gitlab doesn't allow the maintainer to invite new members with the owner role. ![m1.png](https://h1.sec.gitlab.net/a/42103707-d522-46a2-95b2-90b4aa6034a5/m1.png) Neither does it allow to upgrade a members role to owner. ![m2.png](https://h1.sec.gitlab.net/a/26ced425-55b6-4261-afb1-702040147b64/m2.png) The check is also implemented in the api, so that a maintainer cannot escalate privileges by changing `"access_level":50` However, the check is not implemented when ***importing members from a project*** and **a malicious maintainer can invite his another account as the owner of a project.** #### Steps to reproduce `victim` is the owner of project `victim-project` `attacker1` is the maintainer of `victim-project` 1. `attacker1` creates a project `attacker-project` and invite his another account `attacker2` as the owner. 2. `attacker1` goes to `victim-project` membership page. `https://gitlab.com/<victim-group>/<victim-project>/-/project_members` 3. `attacker1` clicks on **Import from a project** 4. `attacker1` selects `attacker-project` `attacker2` is now the owner of the `victim-project` (Optional) 5. `attacker2` can now upgrade `attacker1` as the owner and remove `attacker2` account if he wishes. #### POC ![Import_from_a_project.mp4](https://h1.sec.gitlab.net/a/41ab6bf2-2691-4263-a76c-bbc7d466758e/Import_from_a_project.mp4) #### Impact A malicious maintainer can escalate his privileges to that of an owner. He gains access to owner functions such as - 1. Delete project 2. Archive project 3. Transfer project to another namespace 4. Delete merge requests etc. #### Output of checks This bug happens on GitLab.com (Probably on instance too) #### Impact A malicious maintainer can escalate his privileges to that of an owner. ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [m1.png](https://h1.sec.gitlab.net/a/42103707-d522-46a2-95b2-90b4aa6034a5/m1.png) * [m2.png](https://h1.sec.gitlab.net/a/26ced425-55b6-4261-afb1-702040147b64/m2.png) * [Import_from_a_project.mp4](https://h1.sec.gitlab.net/a/41ab6bf2-2691-4263-a76c-bbc7d466758e/Import_from_a_project.mp4) ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues

issue