6
CVSSv2

CVE-2013-2113

Published: 31/07/2013 Updated: 13/08/2018
CVSS v2 Base Score: 6 | Impact Score: 6.4 | Exploitability Score: 6.8
VMScore: 645
Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P

Vulnerability Summary

The create method in app/controllers/users_controller.rb in Foreman prior to 1.2.0-RC2 allows remote authenticated users with permissions to create or edit other users to gain privileges by (1) changing the admin flag or (2) assigning an arbitrary role.

Affected Products

Vendor Product Versions
RedhatOpenstack3.0
TheforemanForeman1.1, 1.2.0

Exploits

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # web site for more information on licensing and terms of use # metasploitcom/ ## require 'msf/core' class Metasploit4 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def in ...

Metasploit Modules

Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment

This module exploits a mass assignment vulnerability in the 'create' action of 'users' controller of Foreman and Red Hat OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier) by creating an arbitrary administrator account. For this exploit to work, your account must have 'create_users' permission (e.g., Manager role).

msf > use auxiliary/admin/http/foreman_openstack_satellite_priv_esc
      msf auxiliary(foreman_openstack_satellite_priv_esc) > show actions
            ...actions...
      msf auxiliary(foreman_openstack_satellite_priv_esc) > set ACTION <action-name>
      msf auxiliary(foreman_openstack_satellite_priv_esc) > show options
            ...show and set options...
      msf auxiliary(foreman_openstack_satellite_priv_esc) > run

Github Repositories

Vulnerabilities These are some of the vulnerabilities I have discovered over the years either by conducting fuzz tests or performing source code reviews: CVE-2013-2143 The users controller in Katello 150-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a use