Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Apache CouchDB 2.0.0 - Local Privilege Escalation Vulnerability

🗓️ 05 Dec 2016 00:00:00Reported by hyp3rlinxType 
zdt
 zdt🔗 0day.today👁 56 Views

Apache CouchDB 2.0.0 Privilege Escalation Vulnerability allows arbitrary code executio

Code
[+] Credits: John Page aka hyp3rlinx
 
 
Vendor:
==================
couchdb.apache.org
 
 
 
Product:
==============
CouchDB v2.0.0
 
Apache CouchDB is open source database software that focuses on ease of use
and having an architecture. It has a document-oriented
NoSQL database architecture and is implemented in the concurrency-oriented
language Erlang; it uses JSON to store data, JavaScript
as its query language using MapReduce, and HTTP for an API.
 
 
Vulnerability Type:
===================
Privilege Escalation (Insecure File Permissions)
 
 
 
 
Vulnerability Details:
=====================
 
CouchDB sets weak file permissions potentially allowing 'Standard' Windows
users to elevate privileges. The "nssm.exe" (Apache CouchDB)
executable can be replaced by a 'Standard' non administrator user, allowing
them to add a backdoor Administrator account once the
"Apache CouchDB" service is restarted or system rebooted.
 
As Apache CouchDB runs as LOCALSYSTEM, standard users can now execute
arbitrary code with the privileges of the SYSTEM.
 
Issue is the 'C' flag (Change) for 'Authenticated Users' group.
 
 
e.g.
 
c:\CouchDB>cacls * | findstr Users
 
               BUILTIN\Users:(OI)(CI)(ID)R
               NT AUTHORITY\Authenticated Users:(ID)C
               NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C
                BUILTIN\Users:(OI)(CI)(ID)R
                NT AUTHORITY\Authenticated Users:(ID)C
                NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C
                    BUILTIN\Users:(OI)(CI)(ID)R
                    NT AUTHORITY\Authenticated Users:(ID)C
                    NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C
 
 
 
c:\CouchDB>sc qc "Apache CouchDB"
[SC] QueryServiceConfig SUCCESS
 
SERVICE_NAME: Apache CouchDB
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\CouchDB\bin\nssm.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Apache CouchDB
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

#  0day.today [2018-03-28]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Dec 2016 00:00Current
6.8Medium risk
Vulners AI Score6.8
couchdbprivilege escalationfile permissionswindows userslocalsysteminsecurearbitrary code executionapache couchdbjsonmapreducehttp api
56