Security News

Apache CouchDB JSON Remote Privilege Escalation

By

Apache CouchDB is open source database software that focuses on ease of use and having a scalable architecture. It has a document-oriented NoSQL database architecture and is implemented in the concurrency-oriented language Erlang; it uses JSON to store data, JavaScript as its query language using MapReduce, and HTTP for an API.

A privilege escalation vulnerability exists in CouchDB. The vulnerability is due to a discrepancy in the behaviours of the JavaScript JSON parser, used in design documents, and the Jiffy JSON parser, used within the CouchDB Erlang-based internals. Allowing an attacker to bypass the user access control.

Vulnerability details

CouchDB has its own web interfac for interaction with the REST API. Both interfaces listen on port 5984/TCP by default. The URL for opening its GUI is: http://:5984/_utils

To send an API request, a user will send the following HTTP POST request, carrying the parameters within a JSON file. For example:

PUT /_users/org.couchdb.user:new_user HTTP/1.1
Host: localhost:5984
Content-Type: application/json
Content-Length: 80
{
“type”: “user”,
“name”: “[username]”,
“roles”: [],
“password”: “[password]”
}

When a JSON object has duplicate keys, only the last value will be assigned. For example, the JSON {“key”:”value1″,”key”:”value2″} will assign value2 to key. And when CouchDB is handling such an API request, the function validate_doc_update() will be called to verify the current user’s privillege. However, CouchDB uses get_value() function which returns only the first value of a given key. And due to the above mentioned JSON rule of handling duplicated key, the last value will be assigned.

{
“type”: “user”,
“name”: “[username]”,
“roles”: “[_admin]”,
“roles”: “[]”,
“password”: “[password]”
}

Such a request will submit a malicious document to the _users or _replicator databases. And escalate the user’s privilege to the server admin of CouchDB.

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13106: Apache CouchDB JSON Remote Privilege Escalation
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Adobe Flash Player memory corruption vulnerability CVE-2017-2930 (Jan 20, 2017)
ZBot IRS spam targeting Tax period (Mar 26, 2010)
Cybersecurity News & Trends - 12-11-20
Microsoft Security Bulletin Coverage for June 2020
Squid Game themed Android malware hides SpyNote spyware
Microsoft Windows IE Vulnerability(CVE-2013-1347) attacks spotted in the Wild (Oct 17, 2013)
Prolaco Worm Spreading in the Wild (July 23, 2010)
Cyber Security News & Trends – 11-01-19