CVE-2019-11489

Incorrect Access Control in the Administrative Management Interface in SimplyBook.me Enterprise before 2019-04-23 allows Authenticated Low-Priv Users to Elevate Privileges to Full Admin Rights via a crafted HTTP PUT Request, as demonstrated by modified JSON data to a /v2/rest/ URI

The Vulnerability

A SimplyBook.it/SimplyBook.me management portal user with a low privileged account (such as Viewer Group read-only access) is able to send crafted JSON data in a PUT request via the REST API and reconfigure their account settings to grant themselves top level Administrative rights over the whole application, it’s users and the data belonging to all the clients of the booking system. In addition they would be able to reconfigure 3rd party payment account settings (e.g PayPal, Stripe, etc…)and hijack client payments intended for the owner of the service.

Context

The SimplyBook.it/SimplyBook.me site management portal software allows site owners to create very limited user accounts for the purpose of granting read-only access to users or entities that require basic data access only.

This can allow untrusted partner agents or low-level employees to have read-only access to booking/appointment calendars and service status messages. They should never be able to alter any configuration data or affect any other areas of the site, services, users, clients, financial service credentials.

Image Error!

Observations & Recommendations

User session tokens must also be validated when configuration changes are being made by an authenticated user. It is not enough to just rely on them having a valid X-CSRF Token. An authenticated low-priv read-only account could represent an untrusted basic employee with bad intentions or an account that has been more easily compromised by a criminal attacker due to a user’s belief that it cannot do any harm so there is no need to protect the credentials well.

Exploit Example

Here I will demonstrate how a Low-Priv Viewer Account attacker is able to grant themselves full Admin Privileges.

I was able to consistently reproduce and confirm the vulnerability using the following steps.

Step 1

First create a restricted Viewer account with read-only access.

[Image Error!]

Step 2

Log in as the just_a_viewer account. Then access the Welcome page.

[Image Error!]

Step 3

Proxy the web traffic using a proxy tool such as Burp Suite and then click on the Services & Providers pane.

[Image Error!]

Step 4

Notice the Access Denied message…

[Image Error!]

Step 5

Select the last request to /v2/rest/plugin in Burp Suite and ensure it contains a valid X-CSRF Token and send it to the Repeater tool in Burp.

[Image Error!]

[Image Error!]

Step 6

Next, select to Change password from the Welcome Screen and then cancel it. Then return to burp to get your user_id for the next step.

[Image Error!]

Step 7

Then alter the request to contain a PUT /v2/rest/user/item/id/5 with JSON data structured in the following way making sure to set "group":"admin": [Image Error!]

[Image Error!]

Step 8

If all was successful, you should see the same JSON data returned in a HTTP 200 OK response.

[Image Error!]

Step 9

And finally, we are able to refresh the browser and see that we now have full administrative privileges in the management portal and can now do anything we want.

[Image Error!]


Vendor Response

(covers CVE-2019-11488 & CVE-2019-11489)
13-April-2019: Vendor is first sent the details of the vulnerabilities.
23-April-2019: Notified of fix and bounty award by the vendor.

Hello,

Thank you.

As a reward for accepted vulnerabilities we will pay you 600USD, since we consider them as average seriousness:

(1) with admin access issue, the attacker, employee of same company as he would already need access, can only affect the system internally (not cross-system) and

(2) with hash issue the attacker needs to have access to user’s browser data.

Obviously both issues that should absolutely not be there, and have been fixed already, and we are thankful for you pointing them out to us.

. . .

Additionally we will give you 2 years of premium access to our system.

Best regards, Elina - Security Manager

Overall it was a positive experience communicating with the SimplyBook.me team, and I was glad to see the devs work to apply a fix within 10 days.

Thanks for reading,
Please Comment Below.

The CybrGrade UK Team
Image Error!

References

Just who exactly are CybrGrade UK? I hear you ask…

Read our opening post on here or checkout some background on how and why our company was founded.