Headline
GHSA-gq3g-666w-7h85: Grav Exposes Password Hashes Leading to privilege escalation
Exposure of Password Hashes Leading to privilege escalation
Severity Rating: Medium
Vector: Privilege Escalation
CVE: XXX
CWE: 200 - Exposure of Sensitive Information
CVSS Score: 6.2
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
Analysis
It was observed that if a users is given read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attacker can crack these password hashes.
An attacker with read access can:
- View and potentially crack the password hashes.
- Gain administrative access by cracking the admin password hash.
- Escalate privileges and compromise the entire admin panel.
Proof of Concept
- Give read access to user accounts to a random user as shown in the following figures:
Log in to the admin panel with an account that has read access to user accounts and navigate to the user account management section.
Go to the admin profile
http://127.0.0.1/admin/accounts/users/admin; The password is not display. Try inspecting the page source code as shown in the following figures:You can see that it match the hash that is in the admin.yaml file :
- Crack the hash as shown in the following figure, the algorithm use here is bcrypt:
Workarounds
No workaround is currently known
Timeline
2024-07-24 Issue identified
2024-09-27 Vendor contacted
About X41 D-Sec GmbH
X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and IT security consulting and support services are core competencies of X41.
Exposure of Password Hashes Leading to privilege escalation
Severity Rating: Medium
Vector: Privilege Escalation
CVE: XXX
CWE: 200 - Exposure of Sensitive Information
CVSS Score: 6.2
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
Analysis
It was observed that if a users is given read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attacker can crack these password hashes.
An attacker with read access can:
- View and potentially crack the password hashes.
- Gain administrative access by cracking the admin password hash.
- Escalate privileges and compromise the entire admin panel.
Proof of Concept
- Give read access to user accounts to a random user as shown in the following figures:
Log in to the admin panel with an account that has read access to user accounts and navigate to the user account management section.
Go to the admin profile http://127.0.0.1/admin/accounts/users/admin; The password is not display. Try inspecting the page source code as shown in the following figures:
You can see that it match the hash that is in the admin.yaml file :
Crack the hash as shown in the following figure, the algorithm use here is bcrypt:
Workarounds
No workaround is currently known
Timeline
2024-07-24 Issue identified
2024-09-27 Vendor contacted
About X41 D-Sec GmbH
X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of information
security, a strong core security team of world class security experts enables
X41 to perform premium security services.
Fields of expertise in the area of application security are security centered
code reviews, binary reverse engineering and vulnerability discovery.
Custom research and IT security consulting and support services are core
competencies of X41.
References
- GHSA-gq3g-666w-7h85
- https://nvd.nist.gov/vuln/detail/CVE-2025-66304
- getgrav/grav@9d11094