Metasploit-framework: couchdb_login auxiliary module does not bruteforce standard user creds

Created on 20 Dec 2017 · 6Comments · Source: rapid7/metasploit-framework

Issue
The auxiliary module does not discover valid credentials for users without
the admin role. This check is required nonetheless as credentials for standard users might allow
to dump document collections for databases protected from anonymous reads by setting user membership.

Steps to reproduce
_command to add test user to CouchDB via REST API:_

curl -X PUT http://<IP>:5984/_users/org.couchdb.user:tester -H "Accept: application/json" -H "Content-Type: application/json" -d '{"name": "tester", "password": "Welcome1", "roles": [], "type": "user"}'

_msfconsole commands_

echo tester > /tmp/users.txt
echo Welcome1 > /tmp/passwords.txt
use auxiliary/scanner/couchdb/couchdb_login
set RHOST <IP>
set USER_FILE /tmp/users.txt
set PASS_FILE /tmp/passwords.txt
run

Expected behavior
Guessed credentials for the user 'tester' should be identified by the auxiliary module.

Current behavior
The auxiliary module only identifies guessed credentials for admin users. This happens
because the module makes the request below to the _users/_all_docs collection, which as explained
in the security documentation of CouchDB[1] can be accessed by privileged users only (would be a trivial privesc otherwise) and therefore results in a HTTP 401 response even with valid standard user credentials.

GET /_users/_all_docs HTTP/1.1
Host: <IP>:5984
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Authorization: Basic YWRtaW46YWRtaW4=
Content-Type: text/plain

Remediation
The current check for the admin credentials can be complemented with the request below
to discover standard user credentials (i.e. attempt to retrieve the respective entry from the _users collection). Note the admin credentials are not in the _users collection rather within the local.ini file, so it still needs a separate check.

GET /_users/org.couchdb.user:tester HTTP/1.1
Host: <IP>:5984
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Authorization: Basic dGVzdGVyOldlbGNvbWUx
Connection: close
Content-Length: 4

Tested on
Metasploit Framework: 4.16.24-dev
Metasploit Console : 4.16.24-dev
CouchDB v2.1.1

References
[1] http://docs.couchdb.org/en/2.0.0/intro/security.html

Stale enhancement

Source

frwx

Most helpful comment

I have written a simple Python script which enumerates and dumps any document collection and file attachments not protected by auth (no user membership set) from an exposed CouchDB instance (available here: https://github.com/faber-rwx/couchdd).

If you guys are already planning to code more stuff for CouchDB exploitation, it would be good to add something similar to the couchdb_enum auxiliary module once it's fixed ^_^ (see issue #9320).

frwx on 28 Dec 2017

❤1 👍1

All 6 comments

I am able to recreate this. Adding another check is easy enough, but I'm wondering if an option needs to be added to check only privileged users, only unprivileged users, or both.

james-otten on 28 Dec 2017

Hello guys.
It was on my review list (among other modules I wrote for the msf) this module too. In the next few days I will be able to change it. :)

espreto on 28 Dec 2017

👍2

A wild @espreto appears. :)

wvu-r7 on 28 Dec 2017

@espreto: I've been working on CouchDB and have yet to push my code for CVE-2017-12635 and general CouchDB exploitation. Since we've worked together before, and you wrote the original CouchDB modules, I wanted to check in with you on this. Is there any deconfliction that needs to occur? Thanks!

wvu-r7 on 28 Dec 2017

If you guys are already planning to code more stuff for CouchDB exploitation, it would be good to add something similar to the couchdb_enum auxiliary module once it's fixed ^_^ (see issue #9320).

frwx on 28 Dec 2017

❤1 👍1

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.