Vulnerabilities > CVE-2017-12635 - Improper Privilege Management vulnerability in Apache Couchdb
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Restful Privilege Elevation Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
Exploit-Db
description Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation. CVE-2017-12635. Webapps exploit for Linux platform file exploits/linux/webapps/44498.py id EDB-ID:44498 last seen 2018-05-24 modified 2018-04-23 platform linux port published 2018-04-23 reporter Exploit-DB source https://www.exploit-db.com/download/44498/ title Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation type webapps description Apache CouchDB < 2.1.0 - Remote Code Execution. CVE-2017-12636. Webapps exploit for Linux platform file exploits/linux/webapps/44913.py id EDB-ID:44913 last seen 2018-06-20 modified 2018-06-20 platform linux port published 2018-06-20 reporter Exploit-DB source https://www.exploit-db.com/download/44913/ title Apache CouchDB < 2.1.0 - Remote Code Execution type webapps description Apache CouchDB - Arbitrary Command Execution (Metasploit). CVE-2017-12635,CVE-2017-12636. Remote exploit for Linux platform. Tags: Metasploit Framework (MSF)... file exploits/linux/remote/45019.rb id EDB-ID:45019 last seen 2018-07-13 modified 2018-07-13 platform linux port 5984 published 2018-07-13 reporter Exploit-DB source https://www.exploit-db.com/download/45019/ title Apache CouchDB - Arbitrary Command Execution (Metasploit) type remote
Metasploit
description This module enumerates databases on CouchDB using the REST API (without authentication by default). id MSF:AUXILIARY/SCANNER/COUCHDB/COUCHDB_ENUM last seen 2020-06-07 modified 2019-01-07 published 2013-05-11 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/couchdb/couchdb_enum.rb title CouchDB Enum Utility description CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet. id MSF:EXPLOIT/LINUX/HTTP/APACHE_COUCHDB_CMD_EXEC last seen 2020-06-10 modified 2018-08-10 published 2018-03-27 references - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12636
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12635
- https://justi.cz/security/2017/11/14/couchdb-rce-npm.html
- http://docs.couchdb.org/en/latest/cve/2017-12636.html
- https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E
reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/apache_couchdb_cmd_exec.rb title Apache CouchDB Arbitrary Command Execution
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_1E54D140849311E8A7950028F8D09152.NASL description Apache CouchDB PMC reports : Database Administrator could achieve privilege escalation to the account that CouchDB runs under, by abusing insufficient validation in the HTTP API, escaping security controls implemented in previous releases. last seen 2020-06-01 modified 2020-06-02 plugin id 111018 published 2018-07-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111018 title FreeBSD : couchdb -- multiple vulnerabilities (1e54d140-8493-11e8-a795-0028f8d09152) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(111018); script_version("1.5"); script_cvs_date("Date: 2019/04/05 23:25:06"); script_cve_id("CVE-2017-12635", "CVE-2017-12636", "CVE-2018-8007"); script_name(english:"FreeBSD : couchdb -- multiple vulnerabilities (1e54d140-8493-11e8-a795-0028f8d09152)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Apache CouchDB PMC reports : Database Administrator could achieve privilege escalation to the account that CouchDB runs under, by abusing insufficient validation in the HTTP API, escaping security controls implemented in previous releases." ); script_set_attribute( attribute:"see_also", value:"https://blog.couchdb.org/2018/07/10/cve-2018-8007/" ); # https://blog.couchdb.org/2017/11/14/apache-couchdb-cve-2017-12635-and-cve-2017-12636/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?236d3194" ); # https://lists.apache.org/thread.html/6fa798e96686b7b0013ec2088140d00aeb7d34487d3f5ad032af6934@%3Cdev.couchdb.apache.org%3E script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?aab45713" ); # https://vuxml.freebsd.org/freebsd/1e54d140-8493-11e8-a795-0028f8d09152.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?df4f4901" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache CouchDB Arbitrary Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:couchdb"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/14"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"couchdb<1.7.2,2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2017-A20D92573B.NASL description - CouchDB ver. 1.7.1 - Fixed CVE-2017-12635 - Fixed CVE-2017-12636 - Switched to eunit for testing - Erlang 20 compatible Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-01-15 plugin id 105943 published 2018-01-15 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105943 title Fedora 27 : couchdb / erlang-jiffy (2017-a20d92573b) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201711-16.NASL description The remote host is affected by the vulnerability described in GLSA-201711-16 (CouchDB: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in CouchDB. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could execute arbitrary shell commands or escalate privileges. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 104697 published 2017-11-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104697 title GLSA-201711-16 : CouchDB: Multiple vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1252.NASL description CVE-2017-12635 Prevent non-admin users to give themselves admin privileges. CVE-2017-12636 Blacklist some configuration options to prevent execution of arbitrary shell commands as the CouchDB user For Debian 7 last seen 2020-03-17 modified 2018-01-22 plugin id 106208 published 2018-01-22 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106208 title Debian DLA-1252-1 : couchdb security update
Packetstorm
data source https://packetstormsecurity.com/files/download/148273/apachecouchdb-exec.txt id PACKETSTORM:148273 last seen 2018-06-23 published 2018-06-21 reporter Cody Zacharias source https://packetstormsecurity.com/files/148273/Apache-CouchDB-Remote-Code-Execution.html title Apache CouchDB Remote Code Execution data source https://packetstormsecurity.com/files/download/148535/apache_couchdb_cmd_exec.rb.txt id PACKETSTORM:148535 last seen 2018-07-13 published 2018-07-12 reporter Max Justicz source https://packetstormsecurity.com/files/148535/Apache-CouchDB-Arbitrary-Command-Execution.html title Apache CouchDB Arbitrary Command Execution data source https://packetstormsecurity.com/files/download/147295/apachecouchdb1702x-escalate.txt id PACKETSTORM:147295 last seen 2018-04-24 published 2018-04-23 reporter Sebastian Castro source https://packetstormsecurity.com/files/147295/Apache-CouchDB-1.7.0-2.x-Remote-Privilege-Escalation.html title Apache CouchDB 1.7.0 / 2.x Remote Privilege Escalation
Seebug
| bulletinFamily | exploit |
| description | There was a vulnerability in CouchDB caused by a discrepancy between the database’s native JSON parser and the Javascript JSON parser used during document validation. Because CouchDB databases are meant to be exposed directly to the internet, this enabled privilege escalation, and ultimately remote code execution, on a large number of installations. I’m wrong, and the main npm registry is unaffected. See correction below. My bad!] [CVE-2017-12635](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12635) ### Background Last time, I wrote about a deserialization bug leading to [code execution on rubygems.org](https://justi.cz/security/2017/10/07/rubygems-org-rce.html), a repository of dependencies for ruby programs. The ability to inject malware into upstream project dependencies is a scary attack vector, and one from which I doubt most organizations are adequately protected. With this in mind, I started searching for bugs in [registry.npmjs.org](https://registry.npmjs.org/), the server responsible for distributing npm packages. According to [their homepage](https://www.npmjs.com/), the npm registry serves more than 3 billion (!) package downloads per week. ### CouchDB The npm registry uses CouchDB, which I hadn’t heard of before this project. The basic idea is that it’s a “NoSQL” database that makes data replication very easy. It’s sort of like a big key-value store for JSON blobs (“documents”), with features for data validation, querying, and user authentication, making it closer to a full-fledged database. CouchDB is written in Erlang, but allows users to specify document validation scripts in Javascript. These scripts are automatically evaluated when a document is created or updated. They start in a new process, and are passed JSON-serialized documents from the Erlang side. CouchDB manages user accounts through a special database called `_users`. When you create or modify a user in a CouchDB database (usually by doing a `PUT` to `/_users/org.couchdb.user:your_username`), the server checks your proposed change with a Javascript `validate_doc_update` function to ensure that you’re not, for example, attempting to make yourself an administrator. ### Vulnerability The problem is that there is a discrepancy between the Javascript JSON parser (used in validation scripts) and the one used internally by CouchDB, called [jiffy](https://github.com/apache/couchdb-jiffy). Check out how each one deals with duplicate keys on an object like `{"foo":"bar", "foo":"baz"}`: Erlang: ``` > jiffy:decode("{\"foo\":\"bar\", \"foo\":\"baz\"}"). {[{<<"foo">>,<<"bar">>},{<<"foo">>,<<"baz">>}]} ``` Javascript: ``` > JSON.parse("{\"foo\":\"bar\", \"foo\": \"baz\"}") {foo: "baz"} ``` For a given key, the Erlang parser will store both values, but the Javascript parser will only store the last one. Unfortunately, the getter function for CouchDB’s internal representation of the data will only return the first value: ``` % Within couch_util:get_value lists:keysearch(Key, 1, List). ``` And so, we can bypass all of the relevant input validation and create an admin user thusly: ``` curl -X PUT 'http://localhost:5984/_users/org.couchdb.user:oops' --data-binary '{ "type": "user", "name": "oops", "roles": ["_admin"], "roles": [], "password": "password" }' ``` In Erlang land, we’ll see ourselves as having the `_admin` role, while in Javascript land we appear to have no special permissions. Fortunately for the attacker, almost all of the important logic concerning authentication and authorization, aside from the input validation script, occurs the Erlang part of CouchDB. Now that we have an administrator account, we have complete control of the database. Getting a shell from here is usually easy since CouchDB lets you define custom `query_server` languages through the admin interface, a feature which is basically just a wrapper around `execv`. One funny feature of this exploit is that it’s slightly tricky to detect through the web GUI; if you try to examine the user we just created through the admin console, the `roles` field will show up empty since it’s parsed in Javascript before being displayed! ### Impact on npm I’ve been trying to figure out exactly how npm was affected by this bug. Since I didn’t actually exploit the vulnerability against any of npm’s production servers, I have to make educated guesses about which parts of the infrastructure were vulnerable to which parts of the attack, based on publicly available information.It turns out that registry.npmjs.org simply exposes an identical API to the CouchDB user creation flow in order to maintain backwards compatibility with old clients. It has been using a custom authentication system since early 2015, and is therefore not vulnerable to my attack. The skim database mentioned below was affected by the bug, however. I apologize for being completely wrong in the initial version of this blog post! Npm also exposes a “[skim database](https://skimdb.npmjs.com/)” which does look like it would have been vulnerable to the RCE part of the attack, but it’s unclear to me how that database is used in the infrastructure today. There’s a [blog post from 2014](http://blog.npmjs.org/post/75707294465/new-npm-registry-architecture) which indicates that all writes go to the skimdb, but I don’t know if this is still true. ### Conclusion It’s probably a bad idea to use more than one parser to process the same data. If you have to, perhaps because your project uses multiple languages like in CouchDB, do your best to ensure that there aren’t any functional differences between the parsers like there were here. It’s unfortunate that the JSON standard [does not specify the behavior of duplicate keys](https://stackoverflow.com/questions/21832701/does-json-syntax-allow-duplicate-keys-in-an-object/21833017#21833017). Thanks to the CouchDB team for having a published security@ email address and working quickly to get this fixed. ### Shameless plug If you’re interested in ditching #birdsite and want to use a social network that actually respects your freedoms, you should consider [joining Mastodon!](https://joinmastodon.org/) It’s a federated social network, meaning that it works in a distributed way sort of like email. Join us over in the fediverse and help us build a friendly security community! |
| id | SSV:96869 |
| last seen | 2017-11-19 |
| modified | 2017-11-16 |
| published | 2017-11-16 |
| reporter | Root |
| title | Remote Code Execution in CouchDB(CVE-2017-12635) |
References
- http://www.securityfocus.com/bid/101868
- https://security.gentoo.org/glsa/201711-16
- https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html
- https://www.exploit-db.com/exploits/44498/
- https://www.exploit-db.com/exploits/45019/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03935en_us
- https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67%40%3Cdev.couchdb.apache.org%3E