Skip to content

Apache couchdb #267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cliffe merged 7 commits into from
Apr 20, 2023
Merged

Apache couchdb #267

cliffe merged 7 commits into from
Apr 20, 2023

Conversation

@JD2344
Copy link

@JD2344 JD2344 commented Apr 12, 2023

Continuing on from Sofia's PR. This is now in a working state in SecGen.

The only thing i will need to review is the "port". Seems the exploit runs from a separate requirement software which is hosted on a different port. I will need to look into this further to make it dynamic.

So far exploit runs as user and correctly runs through everything.

smarkusfeld and others added 7 commits April 12, 2023 01:16
@smarkusfeld @JD2344
New Module: Apache Couchdb
3487bd9 
To Do:
1. Team Testing
2. Finalize secgen customization options from the following: (a) use sample json database -- current version uses sample opensource color dataset (b)create ruby file for more custom database using secgen generators (3) do not create a database but change the port to 0 so it defaults to any available port
@smarkusfeld @JD2344
UPDATED: Added strings to leak to sample database file
90a0212 
To Do:
1. Team Testing
2. Remove Hard coding variables to replace with secgen generators
@smarkusfeld @JD2344
UPDATE: Changed database variable from strings to leak to strings to …
f1997dd 
…preleak

TODO:
1. Team Testing
2. Remove Testing Variables
@JD2344
update for merging
ff562b3
@JD2344
Merge branch 'cliffe:master' into apache_couchdb
b44e6ed
@JD2344
Initial Changes and working install
22b2410
@JD2344
working, no custom port
aa21bf9
@JD2344
Copy link
Author

JD2344 commented Apr 16, 2023

This is working and exploits within user context.

Cant work out why i cant seem to change the port on the erlang daemon so for now is always the same port.

cliffe
cliffe reviewed Apr 17, 2023
View reviewed changes
modules/vulnerabilities/unix/http/apache_couchdb/secgen_metadata.xml
<difficulty>low</difficulty>

<read_fact>port</read_fact>
<read_fact>known_username</read_fact>
Copy link
Owner

@cliffe cliffe Apr 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These listed parameters have to match the ones for default inputs below. If you read_fact known_username, then it should/can also have a default input.

cliffe
cliffe reviewed Apr 17, 2023
View reviewed changes
modules/vulnerabilities/unix/http/apache_couchdb/templates/local.ini.erb
; 'username = password' lines. Don't forget to restart CouchDB after
; changing this.
[admins]
<%= @username %> = <%= @password %> No newline at end of file
Copy link
Owner

@cliffe cliffe Apr 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this intended to be a password that's leaked to them on completion? Sounds like it's hashed, so might pose a problem if the thing passed to passwords_to_leak is not an easily crackable password

Copy link
Author

@JD2344 JD2344 Apr 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There isn't actually any leak of password or username required for this exploit. I was just very unsure of what purpose these serve in context of the software install, so i left them in.

Copy link
Owner

@cliffe cliffe Apr 18, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this line required for the exploit to work?
<%= @username %> = <%= @password %>

Copy link
Owner

@cliffe cliffe Apr 20, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I'm going to merge this, and leave this in, but tweak the metadata.

@cliffe cliffe merged commit dee9947 into cliffe:master Apr 20, 2023
cliffe added a commit that referenced this pull request Apr 20, 2023
@cliffe
tidy and updates #267 couchdb
d1b4e4f
cliffe added a commit that referenced this pull request Apr 20, 2023
@cliffe
tidy and updates #267 couchdb
b1a2bb3
@JD2344 JD2344 mentioned this pull request Apr 28, 2023
Open
@JD2344 JD2344 deleted the apache_couchdb branch June 12, 2023 23:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cliffe cliffe cliffe left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JD2344 @cliffe @smarkusfeld