Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about how to analyze CouchDB vulnerabilities. Many people may not know much about it. In order to make you understand better, the editor has summarized the following for you. I hope you can get something according to this article.

0x00 document Information

Apache CouchDB is an open source database focused on ease of use and being a "database that fully embraces web" [1]. It is a NoSQL database that uses JSON as the storage format, JavaScript as the query language, MapReduce and HTTP as the API. There are a wide range of applications, such as BBC used in its dynamic content presentation platform, Credit Suisse used in its internal merchandise department's market framework, Meebo, used in its social platform (web and applications).

On November 15, 2017, CVE-2017-12635 and CVE-2017-12636 disclosed that CouchDB had problems with remote code execution. Among them, the arbitrary order implementation of CVE-2017-12636 was disclosed as early as 2016, but it did not attract attention.

Overview of 0x01 vulnerabilities

CVE-2017-12635 is caused by the difference in statement execution due to the different ways of parsing JSON between Erlang and JavaScript. Can be used by non-administrator users to grant themselves administrator rights.

CVE-2017-12636 due to the design of the database itself, the administrator can configure the database through HTTP (S). In some configurations, the path to the executable can be set to be executed within the scope of the database run. Combined with CVE-2017-12635, remote code execution can be realized.

0x02 vulnerability analysis

The problem with CVE-2017-12635 is that Erlang and JavaScript have different ways of handling repeated keys in JSON, such as {"a": "1", "a": "2"}.

Erlang:

For a given key, the Eralang parser stores two values, but JavaScript stores only the second value. However, when jiffy is implemented, the getter function only returns the first value.

With the exception of entering validation scripts, almost all the important logic about authentication and authorization takes place in the Erlang section of CouchDB, so this allows the current user to be given the identity of "_ admin".

Check the source code of the jiffy parser and navigate to patch:

After discovering patch, the dedupe_keys field is added to identify duplicate keys, and the make_object method is rewritten to make jiffy parse JSON in the same way as JavaScript.

The CVE-2017-12636 vulnerability lies in the design of CouchDB itself. CouchDB allows external changes to the configuration file through its own HTTP (S) API, and some configuration options include the path to operating system-level binaries, which are then started by CouchDB. Getting shell from here is usually easy, because one of the "query_servers" options of CouchDB, you can customize the language, which is basically just a wrapper execv.

You can construct a simple POC to verify:

Change the query_servers configuration, create a temporary table, and call query_servers to process the data. This allows you to execute the shell and write the ifconfig information in the specified / tmp/6668 file.

This works in conjunction with the previous CVE-2017-12365 privilege escalation vulnerability to achieve remote code execution:

Impact of 0x03 on the whole network

According to the real-time display of the 360CERT network-wide asset retrieval platform, a total of 4943 CouchDB services are available on the public network, mainly in the United States.

Domestic statistics are dominated by Guangdong and Beijing.

0x04 repair recommendation

1. All users should upgrade to CouchDB 1.7.1 or 2.1.1.

2. Configure HTTP API configuration parameters and join the blacklist for sensitive configuration information.

After reading the above, do you have any further understanding of how to analyze CouchDB vulnerabilities? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.