Attacks abusing server vulnerabilities for cryptomining are growing with the crypto currencies popularity as well. One of those is reported in a Trend Micro Blog which mentions that a Monero cryptominer is using some vulnerabilities found in Apache CouchDB.
The two vulnerabilities which have been exploited are:
- Apache CouchDB JSON Remote Privilege Escalation Vulnerability (CVE-2017-12635)
- Apache CouchDB _config Command Execution (CVE-2017-12636)
The first one permits an attacker to create an admin user on the database remotely by sending a crafted JSON message. After being created, the user will have the maximum privileges on the database. I’ve developed a simple python PoC for Exploit-DB which can be found here.
After finding a vulnerable server, it’s possible to execute the python exploit which creates an administrative user at the database. Here you can find the exploit options to achieve the vulnerability exploitation.
Finding Vulnerable Servers
By taking a look at SHODAN with the query: port:5984 CouchDB/2.0.0 we can find some vulnerable servers which has the Apache CouchDB deployed on its default port, some of those already tagged by SHODAN as compromised.
Despite of the easy-finding of many vulnerable servers, we will execute this PoC using a local vulnerable machine to demonstrate how this works.
I deployed a preconfigured vulnerable database which has an administrative user created, that means it cannot be accesed or modified without having the admin credentials.
The database also has deployed the Fauxton administrative tool which can be accesed through a browser at the /_utils directory. After trying to login with the exploiter:123456 credentials, a login error is sent back from the service.
Exploiting the Couch
Now, by using the Exploit-DB python script against the server, we can create the admin user at the database.
After being created, I could successfully login as the exploiter user with ultra secure password 123456.
How it Works?
Erlang (jiffy parse):
For a given key, jiffy will store both values, but the JSON parser will save only the last one. This can be applied to an user object, for creating an admin user, like:
curl -X PUT ‘http://localhost:5984/_users/org.couchdb.user:exploiter’
This works because for Erlang parser (jiffy) we are admin already, but for the JSON parser we have no privileges, so the crafted message passes and updates the database with the desired data like showed above at the duplicated keys example. For authentication and authorization, the Erlang module is in charge for most of their logical processes, which gives free rain to exploit this security breach.