Privilege Escalation Using SCIM Provisioning

Hi Fellow Hackers!!!

Happy New Year!!!

This Write-Up is about the same program i mentioned in my another article “https://medium.com/@ronak-9889/admin-account-takeover-ab7535fe0fdb”

As mentioned in that write-up this program introduced new feature called “Custom role” which allows admin to create user with custom permissions. One of the permission which could be assigned was “Access to security section”

As seen above Imagine Admin has created user with the custom role which has only “access to security section” admin permission.

As seen in below screenshot admin has created custom role “test scim ” and assigned it to user “james parker”.

Security section of this application was containing feature “SCIM provisioning” which allows to create,update,delete user data through Identity Provider.

Those who are not familiar with SCIM , I am referring below link to understand the concept

There were many identity provider options available but i used OKTA to test this.

To complete the setup one need to generate SCIM provisioning URL and Token as per screenshot below and provide it at the identity provider end(OKTA).

There is already our application available to add at OKTA to enable SCIM as below screenshot. For the privacy concern i am hiding the app name but mentioning the steps needed at the identity provider end(OKTA)

After Installing this app at OKTA we need to Enable SCIM provisioning by providing SCIM provisioning URL and TOKEN generated at our target URL in previous steps.

For the detailed guide about setting up scim integration please refer below link

After finishing above setup our user with the the custom role “test scim” could create user at OKTA and which would be updated at our target.

Everything is fine till now. The BUG here is using this user with the custom role we could enable SCIM provisioning and create user at identity provider(OKTA) with the User Type attribute “ADMIN” and assign it to our application as per below screenshot

We created USER with same email and username we mentioned above “James parker” which has custom role at target. BUT At Identity Provider we set the User Type “ADMIN” as shown above.

Our Existing User at target got updated as Admin and got the full access as shown below.

In Summary, With access to only security section of admin, we integrated SCIM and created same user at Identity Provider with Admin User type attribute. As SCIM has more precedence than target Our user got updated as per Identity Provider attribute and got the FULL access. (Admin.)

Thanks for reading. Hope this was informative.