The create method in app/controllers/users_controller.rb in Foreman prior to 1.2.0-RC2 allows remote authenticated users with permissions to create or edit other users to gain privileges by (1) changing the admin flag or (2) assigning an arbitrary role.
This module exploits a mass assignment vulnerability in the 'create' action of 'users' controller of Foreman and Red Hat OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier) by creating an arbitrary administrator account. For this exploit to work, your account must have 'create_users' permission (e.g., Manager role).
msf > use auxiliary/admin/http/foreman_openstack_satellite_priv_esc msf auxiliary(foreman_openstack_satellite_priv_esc) > show actions ...actions... msf auxiliary(foreman_openstack_satellite_priv_esc) > set ACTION <action-name> msf auxiliary(foreman_openstack_satellite_priv_esc) > show options ...show and set options... msf auxiliary(foreman_openstack_satellite_priv_esc) > run
Vulnerabilities These are some of the vulnerabilities I have discovered over the years either by conducting fuzz tests or performing source code reviews: CVE-2013-2143 The users controller in Katello 150-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a use