CVE-2024-46986 – Arbitrary File Write in Camaleon CMS Leading to RCE

CVE-2024-46986 is a critical arbitrary file write vulnerability affecting Camaleon CMS versions prior to 2.8.2. The flaw allows authenticated attackers to write files to arbitrary paths on the file system due to improper input sanitization, enabling them to execute remote code under certain conditions.

• CVE ID: CVE-2024-46986
• Severity: Critical
• CVSS Score: 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
• EPSS Score: 86.38%
• Published: September 18, 2024
• Affected Versions: <= 2.8.2
• Patched Version: 2.8.2+

The vulnerability lies in the upload method of the MediaController, where the folder parameter is passed directly to file handling logic without proper path validation. By crafting a path using directory traversal sequences (../../), an attacker can break out of the intended upload directory and write malicious files anywhere within the web root—or worse, into Rails initializer paths like:

config/initializers/malicious.rb

If such a file is placed correctly, it will be executed upon the next application restart or reload, achieving full Remote Code Execution (RCE) with the web server’s privileges.

• Valid user credentials (authenticated low-priv user access)
  
• Ability to upload a file (no restriction on file type)
  
• File system permissions allowing write to target paths
  
• Web server restart to trigger execution (if targeting Rails initializer)

In this code, params[:folder] is directly passed to the upload_file method without sanitization. This oversight allows an authenticated attacker to manipulate the folder parameter to traverse directories and write files to arbitrary locations on the server, potentially leading to remote code execution.

def upload(settings = {})
  params[:dimension] = nil

  if params[:skip_auto_crop].present?
    f = { error: 'File not found.' }

  if params[:file_upload].present?
    f = upload_file(params[:file_upload], 
    { folder: params[:folder], dimension: params['dimension'], formats: params[:formats], versions: params[:versions], thumb_size: params[:thumb_size] }.merge(settings))

  end

  [...]

end

A public PoC demonstrating this vulnerability is available at https://github.com/vidura2/CVE-2024-46986. The PoC automates the exploitation process by:

1. Authenticate: Log in to the Camaleon CMS instance with valid credentials.
   
2. Craft Malicious File: Prepare a Ruby script with malicious code.
   
3. Upload File: Use the vulnerable upload method to place the file into a sensitive directory, such as config/initializers/.
   
4. Trigger Execution: Restart the application or wait for a restart to occur, leading to the execution of the malicious code.

• Upgrade: Update Camaleon CMS to version 2.8.2 or later, where this issue has been addressed.
  
• Restrict Access: Limit access to the CMS to trusted users.
  
• Monitor Logs: Regularly review server logs for suspicious activity.
  
• Implement WAF: Use a Web Application Firewall to detect and block malicious requests.

There are no known workarounds for this vulnerability; upgrading is the recommended course of action.

• NVD Advisory
• Wiz.io Analysis
• GitHub Advisory
• PoC Exploit