Remote Command Execution via CouchDB Admin Interfaces

The CouchDB administrative interface (/_utils) does not enforce authentication by default. All connecting users are considered administrators and can create, delete and modify databases as well as make global configuration changes.

CouchDB refers to this configuration as the “Admin Party”.

By default there is no option to execute system commands via the admin interface, however it is possible gain remote command execution by installing and calling a custom script handler.

 Exploit

An exploit tool was created to provide interactive command execution by automating the following steps:

•   Attacker enters a command to execute.

•   A custom script handler named “shellcode” is created containing the command to execute.

•   A temporary database is created containing a “design document” that references the script handler.

•   Design document is accessed to invoke the script handler and execute the command.

•   The output from the script handler (command) is parsed and displayed by the exploit.

•   Temporary databases and script handlers are removed.

Example Exploit Output:

Download Exploit Binary: CouchDB Exploit

This entry was posted in Tools. Bookmark the permalink.

Comments are closed.