Insecure permission: A normal user can escalate his/her role to admin

### Overview
There exists an **insecure permission** in BRCC from version **1.0.1** to latest. A normal user can escalate his/her role to admin via a POST request.

**The affected interface** is **/console/admin/updateAdmin/{userId}**.  
This interface allows normal users to arbitrarily modify their own roles.

### Details
**Affected Function**: com.baidu.brcc.controller.AdminController#updateAdmin
![1](https://github.com/user-attachments/assets/41f71b51-4ebf-47ae-b777-ea61cf8026b2)

The validation logic in the interface implementation:
1. Whether the user is in an available state.
2. Whether the user is an administrator; if not, it only needs to be verified whether they are modifying their own data.

The interface implementation did not validate whether non-administrator users could modify their own roles, thus allowing normal users to change their roles to administrator without any restrictions.

### Exploit

![2](https://github.com/user-attachments/assets/49b5a9b8-0312-4a26-a680-6011f64925d0)
**test001** is a normal user, the code of role is 0.
**rcc-token** in the header of request is the token of **test001**.
![Pasted image 20241016171146](https://github.com/user-attachments/assets/046c379c-b6cc-4edf-bdaf-8358971127b1)

It's successful. **test001** has become an administrator.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Insecure permission: A normal user can escalate his/her role to admin #190

Overview

Details

Exploit

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Insecure permission: A normal user can escalate his/her role to admin #190

Description

Overview

Details

Exploit

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions