Overview
There exists an insecure permission in BRCC from version 1.0.1 to latest. A normal user can escalate his/her role to admin via a POST request.
The affected interface is /console/admin/updateAdmin/{userId}.
This interface allows normal users to arbitrarily modify their own roles.
Details
Affected Function: com.baidu.brcc.controller.AdminController#updateAdmin

The validation logic in the interface implementation:
- Whether the user is in an available state.
- Whether the user is an administrator; if not, it only needs to be verified whether they are modifying their own data.
The interface implementation did not validate whether non-administrator users could modify their own roles, thus allowing normal users to change their roles to administrator without any restrictions.
Exploit

test001 is a normal user, the code of role is 0.
rcc-token in the header of request is the token of test001.

It's successful. test001 has become an administrator.
Overview
There exists an insecure permission in BRCC from version 1.0.1 to latest. A normal user can escalate his/her role to admin via a POST request.
The affected interface is /console/admin/updateAdmin/{userId}.
This interface allows normal users to arbitrarily modify their own roles.
Details
Affected Function: com.baidu.brcc.controller.AdminController#updateAdmin

The validation logic in the interface implementation:
The interface implementation did not validate whether non-administrator users could modify their own roles, thus allowing normal users to change their roles to administrator without any restrictions.
Exploit
test001 is a normal user, the code of role is 0.
rcc-token in the header of request is the token of test001.
It's successful. test001 has become an administrator.