Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] User priv escalation #351

Open
ZerkerEOD opened this issue Jan 26, 2022 · 0 comments
Open

[Bug] User priv escalation #351

ZerkerEOD opened this issue Jan 26, 2022 · 0 comments
Assignees
@cobbr

Comments

@ZerkerEOD
Copy link

Feature Request or Bug
Bug

Describe the feature request or bug
It seems a normal user can alter their privileges and upgrade to Administrator themselves.

To Reproduce
Steps to reproduce the behavior:

  1. Log in as a user
  2. Select Users on the left.
  3. Click on your user.
  4. Select the drop down for edit roles
  5. Click Administrator and wait for a checkmark
  6. Click on the screen anywhere to dismiss the dropdown
  7. Click edit roles
  8. Your user will be an administrator and show when you get back to list all users.

Expected behavior
A user should not be able to give themselves administrator roles

Screenshots
I do not think this needs a screen shot since it is pretty straight forward and not a specific error being displayed during operation.

Covenant Server Information:

  • OS: Ubuntu 20.04.3
  • Docker or Native: Native

Browser Information:

  • Browser Chrome
  • Version Version 97.0.4692.99 (Official Build) (64-bit)

Target Information (System that implant is running on):
Not Applicable

Additional context
No additional context
@ZerkerEOD ZerkerEOD changed the title [Bug|Feature Request] Short Description of Issue [Bug] User priv escalation Jan 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cobbr cobbr

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cobbr @ZerkerEOD