lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <fb1e5de9-82e3-4a9e-9fbf-687197f61fb5@journal.report.generator>
Date: Thu, 23 Aug 2018 08:52:31 +0000
From: x ksi <s3810@...stk.edu.pl>
To: <fulldisclosure@...lists.org>, <bugtraq@...urityfocus.com>
Subject: Couchbase Server - Remote Code Execution

Sender: s3810@...stk.edu.pl
Subject: Couchbase Server - Remote Code Execution
Message-Id: <CAN10O-YorWdFmOh6kZDG1=R6+S5GQTQbSQms0DGjR8pDhr2MFQ@...l.gmail.com>
Recipient: Lanware.Security@...ware.co.uk


______________________________________________________________________

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed.  Any views or opinions expressed are solely those of the author and do not necessarily represent those of Lanware Ltd.  If you have received this e-mail in error, please notify the sender and delete this email (including any attachments) from your system. Lanware may monitor email traffic data and content of email for the purpose of security.

Lanware Ltd, 62-64 Cornhill EC3V 3NH.  Registered in England and Wales.  Registration No. 2815552.  Telephone +44 (0) 207 150 1100
Received: from GCHQ-GWR-EXCH01.internal.lanware.co.uk (10.80.1.204) by
 GCHQ-GWR-EXCH01.internal.lanware.co.uk (10.80.1.204) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.1.1466.3; Thu, 23 Aug 2018 09:50:33 +0100
Received: from mail6.bemta25.messagelabs.com (195.245.230.107) by
 mail.lanware.co.uk (10.80.1.151) with Microsoft SMTP Server id 15.1.1466.3
 via Frontend Transport; Thu, 23 Aug 2018 09:50:33 +0100
Return-Path: bugtraq-return-59704-security=lanware.co.uk@...urityfocus.com
Received: from [46.226.52.199] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits))
	by server-3.bemta.az-b.eu-west-1.aws.symcld.net id D1/FA-19860-9557E7B5; Thu, 23 Aug 2018 08:50:33 +0000
Authentication-Results: mx.messagelabs.com; spf=pass 
  (server-10.tower-287.messagelabs.com: domain of securityfocus.com 
  designates 195.245.230.82 as permitted 
  sender)smtp.mailfrom=securityfocus.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpnk+JIrShJLcpLzFFi42I5/PVZkG5EaV2
  0wY9t6hZf/39idmD06Pg2hSWAMYo1My8pvyKBNWPdooyCP4IVLyYFNjD+4u9i5OAQEvCRuHnG
  qYuRE8g8ySgx87U/iC0h4CexYPoxFpASCQFHiYffCiDCShItHYvYIWwDiaYXs5ggSkQkJjdZQ
  ZhaEnvWQFWIS0xeuJIZYriHxI9fl4EGcgHZKxglTp0/zwTh3GWU+Leonw2iykXiXOs9FhCbV8
  BJ4uGO+6wgtoCAgMS/SRfA4jwCOhL3T7UyQ9i6Er8+zmSCsI0kzu7rh6pxkDi58iYjhG0j8fp
  RJ1g9i4CJxOqn29ghbFOJUwuWscFcN3XBBrDrJAT+s0m83biXCeIFRYlXE9+xQNgOEi9vLmOE
  sBUkVv34xQphW0vsfbKIqIDgAlo7hVli5YMPTBMYtWeBvSkocXLmExYQm1lAU6J1+2/2BYxMq
  xgtkooy0zNKchMzc3QNDQx0DQ2NdA0tzYDYWC+xSjdJL7VUtzy1uETXUC+xvFivuDI3OSdFLy
  +1ZBMjMDkwAMEOxnPfkg8xSnIwKYnyfvavjRbiS8pPqcxILM6ILyrNSS0+xCjDwaEkwfuxuC5
  aSLAoNT21Ii0zB5imYNISHDxKIrx2JUBp3uKCxNzizHSI1ClGY44Xi3omMXP8eT91ErMQS15+
  XqqUOK8aSKkASGlGaR7cIFj6vMQoKyXMywh0mhBPQWpRbmYJqvwrRnEORiVh3mqQKTyZeSVw+
  14BncIEdAorcy3IKSWJCCmpBkamTZXdLkciO3ffzwwrO/jl6byvpvu+Hw/aMu/3TbF9qQ9F78
  w7YqjKG9T2T9REpPjwqRjH8J17/U/9OtUavuv81GKx8iUKYjZXeBhVeG1lNd1WsbXWV+x83DJ
  jyeV/G57fVej4suzj9MRzhy60ty4wzGv8tzDLZerEKQ1rM48UXC6czqHDdD5fiaU4I9FQi7mo
  OBEAXbB6c5oDAAA=
X-Env-Sender: bugtraq-return-59704-security=lanware.co.uk@...urityfocus.c
  om
X-Msg-Ref: server-10.tower-287.messagelabs.com!1535014232!7612004!1
X-Originating-IP: [195.245.230.82]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received:
X-StarScan-Version: 9.9.15; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 25673 invoked from network); 23 Aug 2018 08:50:32 -0000
Received: from mail3.bemta25.messagelabs.com (HELO mail3.bemta25.messagelabs.com) (195.245.230.82)
  by server-10.tower-287.messagelabs.com with SMTP; 23 Aug 2018 08:50:32 -0000
Received: from [46.226.52.192] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits))
	by server-2.bemta.az-b.eu-west-1.aws.symcld.net id 0F/3F-20055-8557E7B5; Thu, 23 Aug 2018 08:50:32 +0000
X-Env-Sender: bugtraq-return-59704-security=lanware.co.uk@...urityfocus.c
  om
X-Msg-Ref: server-3.tower-280.messagelabs.com!1535014200!71964!76
X-Originating-IP: [34.237.219.205]
X-SYMC-ESS-Client-Auth: outbound-route-from=fail
X-StarScan-Received:
X-StarScan-Version: 9.14.24; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 20279 invoked from network); 23 Aug 2018 08:50:32 -0000
Received: from ec2-34-237-219-205.compute-1.amazonaws.com (HELO symds.io) (34.237.219.205)
  by server-3.tower-280.messagelabs.com with SMTP; 23 Aug 2018 08:50:32 -0000
Received: from lists.securityfocus.com (ip-100-122-156-127.us-east-1.ec2.aws.symcpe.net [100.122.156.127])
	by symds.io (Postfix) with SMTP id B6A9FF1F8
	for <security@...ware.co.uk>; Thu, 23 Aug 2018 08:42:43 +0000 (UTC)
Received: (qmail 18484 invoked by alias); 23 Aug 2018 08:40:41 -0000
Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@...urityfocus.com>
List-Help: <mailto:bugtraq-help@...urityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
Delivered-To: mailing list bugtraq@...urityfocus.com
Delivered-To: moderator for bugtraq@...urityfocus.com
Received: (qmail 31427 invoked from network); 23 Aug 2018 05:05:27 -0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrJIsWRWlGSWpSXmKPExsXiVRtkqjvNoS7
  a4MgLQYvmC+kOjB73z9xiD2CMYs3MS8qvSGDNWLcoo+CPYMWLSYENjL/4uxi5OIQEpjBKHN48
  jQnEYRGYwiyx8sEHMEdC4AeLxOJZRxi7GDmBnDqJu90LoewiidbtHSwQdoXE+Wk7wWxeAUGJk
  zOfgNlCAmESd76sYAWx2QQUJRoXrmcCsVkEVCXObtrNBlEfIHH17w+wuLCAocTp3onsILaIgJ
  XEzgv9YLuYBTSBdv1mn8DINwvJillIUgsYmVYxWiQVZaZnlOQmZuboGhoY6BoaGusa6ppZ6iV
  W6SbqpZbqJqfmlRQlAiX1EsuL9Yorc5NzUvTyUks2MQKDjgEIdjDu2ZdyiFGSg0lJlPezf220
  EF9SfkplRmJxRnxRaU5q8SFGGQ4OJQleG/u6aCHBotT01Iq0zBxg+MOkJTh4lER4/e2A0rzFB
  Ym5xZnpEKlTjJYcLxb1TGLmmLByEpD8837qJGYhlrz8vFQpcV4nkHkCIA0ZpXlw42AxeolRVk
  qYlxHoQCGegtSi3MwSVPlXjOIcjErCvBEgU3gy80rgtr4COogJ6CBW5lqQg0oSEVJSDYwzt03
  QtJ14XMzAZ50Y25bKsJeHz17xeHTXoSyZ34uf79Ydd6Nvxw3D7dIrz/7rsb8QI/7h4O0VmUYP
  ZUV3HppbzZOc6iUtV3c1hU+d7YPttbUu321W1d0Svp10Z9sM4blb7nI4n4wTDPv8zb9QLWCq8
  SrOl41PBdi+n62+P6vReO+knw5x7u+UWIozEg21mIuKEwE3eQ/czAIAAA==
X-Env-Sender: s3810@...stk.edu.pl
X-Msg-Ref: server-7.tower-221.messagelabs.com!1535000726!43957!1
X-Originating-IP: [74.125.82.53]
X-SpamReason: No, hits=0.0 required=7.0 tests=newsletters: 
X-StarScan-Received:
X-StarScan-Version: 9.14.24; banners=-,-,-
X-VirusChecked: Checked
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=pjwstk.edu.pl; s=google;
        h=mime-version:from:date:message-id:subject:to;
        bh=vQvnD8rapUXqZ28JsES478JWn/b3GD+vFaMJ3PxsHwg=;
        b=g0nXtLSEiJ4HjEfSqZ4YU/ALgmvt8N+I6HuJZ3anZwXoW6+pj9tK7JVFxTYzomMwtJ
         TyL8ZS90jLmnqYpaI6TuZ3FnrZ8JOUeTwYgofi2eP+FcicGpzX5GXZlbH+MtQaSSupyG
         jjg1zJOftfuKCk6UzCuaf1/bMRGEGeEOaRu6w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=vQvnD8rapUXqZ28JsES478JWn/b3GD+vFaMJ3PxsHwg=;
        b=jpjZpKXcoyOUoZ3TuPVMSN7XVYHoGA7+ZcGMaSjGtAQNGgU5jRzLQt7Dce7zxVxJ0E
         xRY/6uIgYo4IjCUj+n8+6xiqA4zzr6YzWDGLYI4UDhieNsxXWVzX97eOiVTWtOZkhDS6
         wcuxHTLEzXZduW7ou0DzTWFly6hOY1uS4W4LKurDVROXN01l0uZ8WNGUZf+A+ctleOof
         +2xq4jEBejy2CBBzTzZN7RGAQEZXGzE4dp/SHduxOcroPfngwPCCrKSvHGYYNEhcrf92
         Jq/MeWHxs15i+E+2Qt5Y2Vi65FKDV7PwuUEZFnRW00OpuXrHq70Xp74TskT4YorGNNIu
         qGVg==
X-Gm-Message-State: APzg51Cxfdrc9P2XPUptdpesPm/PSiADj6BUOxtbigSsMcE6jexQcZFe
	XNU8NpBnwuiHRsvsaaxWZPs4R8dGgexU0PhSJZ3WmXeR28o=
X-Google-Smtp-Source: ANB0VdaYnLEk/MvDXc5futMFW9N9PesXbJ337wSPXGjGntDJx+gEd0ZtgaQ7ffsmYB+UzySdyxWEiggvju0a1aB+N/Y=
X-Received: by 2002:a1c:578a:: with SMTP id l132-v6mr4126502wmb.16.1535000725643;
 Wed, 22 Aug 2018 22:05:25 -0700 (PDT)
MIME-Version: 1.0
From: x ksi <s3810@...stk.edu.pl>
Date: Thu, 23 Aug 2018 15:05:25 +1000
Message-ID: <CAN10O-YorWdFmOh6kZDG1=R6+S5GQTQbSQms0DGjR8pDhr2MFQ@...l.gmail.com>
Subject: Couchbase Server - Remote Code Execution
To: <fulldisclosure@...lists.org>, <bugtraq@...urityfocus.com>
Content-Type: text/plain; charset="UTF-8"
X-MS-Exchange-Organization-OriginalArrivalTime: 23 Aug 2018 08:50:33.1737
 (UTC)
X-MS-Exchange-Organization-Network-Message-Id: 25376e6b-822a-4d5b-fb3f-08d608d57cab
X-MS-Exchange-Organization-OriginalClientIPAddress: 195.245.230.107
X-MS-Exchange-Organization-OriginalServerIPAddress: 10.80.1.151
X-MS-Exchange-Organization-Cross-Premises-Headers-Processed: GCHQ-GWR-EXCH01.internal.lanware.co.uk
X-MS-Exchange-Organization-OrderedPrecisionLatencyInProgress: LSRV=GCHQ-GWR-EXCH01.internal.lanware.co.uk:TOTAL-FE=0.046|SMR=0.051(SMRPI=0.008(SMRPI-FrontendProxyAgent=0.008));2018-08-23T08:50:33.220Z
X-MS-Exchange-Forest-ArrivalHubServer: GCHQ-GWR-EXCH01.internal.lanware.co.uk
X-MS-Exchange-Organization-AuthSource: GCHQ-GWR-EXCH01.internal.lanware.co.uk
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-FromEntityHeader: Internet
X-MS-Exchange-Organization-OriginalSize: 10014
X-MS-Exchange-Organization-HygienePolicy: Standard
X-MS-Exchange-Organization-MessageLatency: SRV=GCHQ-GWR-EXCH01.internal.lanware.co.uk:TOTAL-FE=0.062|SMR=0.051(SMRPI=0.008(SMRPI-FrontendProxyAgent=0.008))|SMS=0.016
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-Recipient-Limit-Verified: True
X-MS-Exchange-Organization-TotalRecipientCount: 1
X-MS-Exchange-Forest-IndexAgent-0: AQ0CZW4AAZYGAAAPAAADH4sIAAAAAAAEAK1WXW/bNhSl42+laoc9FN
 ieiOwhLRBZSfqV5WFYkrZoH4oFbVpsy7KAluiYqCR6pGTXG9bftJ+4
 c0lbcdKuD10RQ6DI+3F47rlX+efrZ3K+FQZh8FjaxKhJqXSxHwZHuk
 rGQ2ElfyXNVBp+unPG5buJttLyl09enfCD4+f8dPeMz8YqGfPhnKdy
 JKqs5MqGgZgKlYlhJrku+MnRcby3/f0OF0Uaa+Ped2hjEAYHVTmWRa
 kSUcqUV1YayxNRcCuLlAszVKURZs6fmEwUFzzRqeSl5pupEhexnIps
 MwxgOdGqKLkecQQjYAN+goWznqks40PJbTW08o8KubI5LiKTihKqgl
 zCoCpSabK5Qg49kUaUtLJzW8ocEcoxnxg1VZm8wO0XaQjr4vIzYek1
 DQNgs6UwJa/5wx0JywpiXgMmv5FGbroTMBo5kkYWSQ0MuUYqUSILg1
 QnVQ70ggrET++dnd4/O31wtsXHeiZRoC1+1SLV0habJUjADqKJYh4G
 qhhpk3sDMdRV6ZIYZd9aLqzVSEWsuBuLLNMzokEkibSWIDqqavQICj
 4tBcMlX1PosioQIJtv8efucoUuuVMBnAFkpEy+oAyILRwdmzVX0I2R
 XIxGMiEYkAusJbKaj/OnLNYUP13RH7D8oisnItTEXfBYH6GAeqpSsp
 S4F4HXBjUnZMCiRnOuRnyuK0MsoYZZ5mlCjhoQtIsbDahbjo0Gcgce
 9ZqUaJmdAU8qk/HoGd8gWWuj/nQx9vmhsCrhB4dHjzf4uCwn+3H8bu
 D+9qkP4vpyYRD9zI9/QntFKd9MqP9GkN2+kSI9p9WdjViWSTxBtWbp
 xl1C8Jd+u8UP/+bRD4Cu932F72y8n7wvNrb46VAV6KDzUp+X0uR3Du
 +e3SUGB+ic3S+OWNv9JE/vbMhiunF3k4h6KXMJ43qsQI1JCcqLFGwC
 K0RfG/CLSqUCfA74QQa0EJOaOjkZ6MyopIRCVtV4OYkWo+VjMnH1Ol
 G5zFQhqU57g+2Hg93tnb19/lQvVb5ARAicoeWnD9FdlOSjXQOura2k
 kzmGVUmILKaKUeX8x6Tu/kTnyL+7fT1lVE24zDEkrwSgbAsgKx1jZC
 IxmMNgMXlQpgsUNcPBBD1H8XcG23uL+C8ev5IJn1TDTNkxdVE6VVZj
 hl42vFU5prPh0yorMOyGKgPoMPCjCJ1xMBEJzFxfPj7kp4/OruU4ev
 MEyV33I8PI6Jy/eH7y8gmZ7a5AoT0aLOqigB28IjqIdh482t1zxS/H
 6C9HJLneu3SlmVkjH4OioZQFcmYSrKYDr6zFtLQoKn2eSKcWQp3NZo
 MrFYhxvnt5nmJeZjTmr1ldGaCxdd+9GBVFkjImBUZiovwCsjJ6MC5z
 6B+z+PNC3xu8i0WaqyI+EZjA8bs0MVGuUwyjyMqSvkF2meP+Z+a4P9
 iJl7KsFxHM8wjUmbn73i+TPPiySTIFw8jabBn/4adqBF4xfVHNOsJ3
 b1b1+dKJHZwg0KOrgfIULggyqN7GJJ94ey9eiidKptKrbm97+xEqSN
 KOXOp0GGH46JJeUxn5fwroWqQu+myL4q3F/0ZPkX/Cj0WmRBEGjDVZ
 b53d7LOg0+g1GGuwZpf1WqzdbLT9a5t11tzmGmvBDOtmo9VijGxYy7
 +2GWuzXshuwhibOKKArIvFmnttsW6P9cmYtZrO0W3itHmDhcujdsDW
 a0esvT3Wy7CEBOs+u9F07tiBL448SPxqrx4LwsYtukKjeflkrS7rAy
 eugx+CrLMbPjie8EVMBAQAj8cD67H1kCHUmgPf8rDh3nbZse6zdZeR
 kCB+DWzJG56B961/OG0vr4OnzwgvsOEyekJ6C/Ibga8FDPAEGOy36E
 f8A9ji11jzdfGEY8fbL3YarO/2kb1D8eGLva7L3ncR2rC+uUCC6kMD
 3f+T13PYZMG6I7zjUoNwKg271XOFrkvsaVmqBexBFeuIjpsHLlSL6k
 4uQeOGL6WP5spXK4RKAx3fZv0+cd65FqFDJHQ97bW9I6Tri9VdqtTJ
 oH/N3Wkv8LVzte55TnwFu42+A9a+5tV0jeNk3PswIMkGtPuearRdK3
 WWsr9uX8vMCTUMGjcXTdpg35KeKVFdNWy+Zj3sOCpakD2B9N29bKvW
 ivHvHxj7+rYdTth3XBevupz/hwvMeq4RqKdW7H/9pL1XyKr9UX0p94
 TN7cY39elv7rTu/UX1l/x4wF54biJ91XGF6/wLCu0gKycOAAABCt4B
 PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTE2Ij8+DQ
 o8RW1haWxTZXQ+DQogIDxWZXJzaW9uPjE1LjAuMC4wPC9WZXJzaW9u
 Pg0KICA8RW1haWxzPg0KICAgIDxFbWFpbCBTdGFydEluZGV4PSIxMz
 U1Ij4NCiAgICAgIDxFbWFpbFN0cmluZz5zZWN1cml0eUBjb3VjaGJh
 c2UuY29tPC9FbWFpbFN0cmluZz4NCiAgICA8L0VtYWlsPg0KICA8L0
 VtYWlscz4NCjwvRW1haWxTZXQ+AQu2BDw/eG1sIHZlcnNpb249IjEu
 MCIgZW5jb2Rpbmc9InV0Zi0xNiI/Pg0KPFVybFNldD4NCiAgPFZlcn
 Npb24+MTUuMC4wLjA8L1ZlcnNpb24+DQogIDxVcmxzPg0KICAgIDxV
 cmwgU3RhcnRJbmRleD0iMTczOCIgVHlwZT0iVXJsIj4NCiAgICAgID
 xVcmxTdHJpbmc+aHR0cHM6Ly93d3cuY291Y2hiYXNlLmNvbS88L1Vy
 bFN0cmluZz4NCiAgICA8L1VybD4NCiAgICA8VXJsIFN0YXJ0SW5kZX
 g9IjE3NzAiIFR5cGU9IlVybCI+DQogICAgICA8VXJsU3RyaW5nPmh0
 dHBzOi8vZGV2ZWxvcGVyLmNvdWNoYmFzZS5jb20vZG9jdW1lbnRhdG
 lvbi9zZXJ2ZXIvY3VycmVudC9yZXN0LWFwaS9yZXN0LWludHJvLmh0
 bWw8L1VybFN0cmluZz4NCiAgICA8L1VybD4NCiAgICA8VXJsIFN0YX
 J0SW5kZXg9IjE4NjEiIFR5cGU9IlVybCI+DQogICAgICA8VXJsU3Ry
 aW5nPmh0dHBzOi8vZGV2ZWxvcGVyLmNvdWNoYmFzZS5jb20vZG9jdW
 1lbnRhdGlvbi9zZXJ2ZXIvMy54L2FkbWluL1Rhc2tzL3hkY3ItbW9k
 aWZ5LXNldHRpbmdzLmh0bWw8L1VybFN0cmluZz4NCiAgICA8L1VybD
 4NCiAgPC9VcmxzPg0KPC9VcmxTZXQ+AQ7QAVJldHJpZXZlck9wZXJh
 dG9yLDEwLDE1O1JldHJpZXZlck9wZXJhdG9yLDExLDU7UG9zdERvY1
 BhcnNlck9wZXJhdG9yLDEwLDA7UG9zdERvY1BhcnNlck9wZXJhdG9y
 LDExLDA7UG9zdFdvcmRCcmVha2VyRGlhZ25vc3RpY09wZXJhdG9yLD
 EwLDM7UG9zdFdvcmRCcmVha2VyRGlhZ25vc3RpY09wZXJhdG9yLDEx
 LDA7VHJhbnNwb3J0V3JpdGVyUHJvZHVjZXIsMjAsMzM=
X-MS-Exchange-Forest-IndexAgent: 1 2705
X-MS-Exchange-Forest-EmailMessageHash: 68A7520F
X-MS-Exchange-Forest-Language: en

Hey,

Description:
Couchbase Server [1] exposes REST API [2] which by default is
available on TCP/8091 and/or TCP/18091.
Authenticated users can send arbitrary Erlang code to 'diag/eval'
endpoint of the API. The code will be subsequently executed in the
underlying operating system with privileges of the user which was used
to start Couchbase.
The 'diag/eval' endpoint was found to be referenced in the official
documentation [3][4][5], however, documentation doesn't contain any
information about the risks associated with allowing access to the
endpoint in question.
Unfortunately, I was not able to confirm which versions of Couchbase
are affected and whether 'diag/eval' endpoint is enabled by default.
You can use the PoC provided below in order to verify if your
installation is affected or not.

Proof of Concept:
1. curl -H "Authorization: Basic ABCD" http://x.x.x.x:8091/diag/eval
-X POST -d 'case file:read_file("/etc/passwd") of {ok, B} ->
io:format("~p~n", [binary_to_term(B)]) end.'
2. curl -H "Authorization: Basic ABCD" http://x.x.x.x:8091/diag/eval
-X POST -d 'os:cmd("env")'

Remediation:
Contact vendor for remediation guidance. Alternatively, restrict
access to the REST API and/or 'diag/eval' endpoint.

Timeline:
18.06.2018: Following vendor guidelines [6], the information about the
issue was sent to security@...chbase.com.
20.06.2018: Follow-up email was sent to the vendor to confirm receipt
of the original report.
21.08.2018: MDSec published advisory about the similar vulnerability
found in Apache CouchDB [7].
21.08.2018: CVE requested from MITRE.
22.08.2018: MITRE assigned CVE-2018-15728 for this issue.
23.08.2018: The advisory has been released.

References:
[1] https://www.couchbase.com/
[2] https://developer.couchbase.com/documentation/server/current/rest-api/rest-intro.html
[3] https://developer.couchbase.com/documentation/server/3.x/admin/Tasks/xdcr-modify-settings.html
[4] https://developer.couchbase.com/documentation/server/4.1/security/security-comm-encryption.html
[5] https://developer.couchbase.com/documentation/server/4.1/security/security-client-ssl.html
[6] https://www.couchbase.com/resources/security#VulnerabilityReporting
[7] https://www.mdsec.co.uk/2018/08/advisory-cve-2018-8007-apache-couchdb-remote-code-execution/


Thanks,
Filip Palian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ