Apache CouchDB Improper Privilege Management Leads to Remote Code Execution

A public exploit has surfaced detailing a critical vulnerability in Apache CouchDB version 1.6.0. This exploit leverages CVE-2017-12635, an improper privilege management flaw, enabling an attacker to gain administrative privileges. By exploiting inconsistent handling of duplicate JSON roles keys, a malicious actor can create a new user with administrator rights. This privilege escalation serves as a stepping stone to CVE-2017-12636, which allows remote code execution by modifying CouchDB’s configuration via the HTTP API. The vulnerability is triggered when CouchDB versions prior to 1.7.1 process design functions that declare a “language” field. Successful exploitation can lead to complete system compromise as the attacker gains the ability to execute arbitrary commands on the server.

Attack Chain

1. The attacker probes the target CouchDB instance, identifying version 1.6.0 running on port 5984.
2. The attacker exploits CVE-2017-12635 by sending a crafted HTTP PUT request to the /_users endpoint with a JSON payload containing duplicate “roles” keys. The first “roles” key grants admin privileges, while the second bypasses validation.
3. A new user account, such as “hacker”, is created with administrative privileges due to the vulnerability in JSON parsing.
4. The attacker authenticates to the CouchDB instance using the newly created admin account.
5. The attacker exploits CVE-2017-12636 by sending an HTTP PUT request to the /_config/query_servers/cmd endpoint, setting the value to an OS command (e.g., “id 1>/tmp/pwned 2>&1”).
6. The attacker creates a new database (e.g., “rcetest”) and a design document with a view using the “cmd” language.
7. The attacker triggers the view by sending an HTTP GET request to the /rcetest/_design/rce/_view/myview endpoint.
8. CouchDB executes the configured OS command under the privileges of the CouchDB process (couchdb user), achieving remote code execution.

Impact

Successful exploitation allows attackers to gain full control of the CouchDB instance. This includes the ability to read, modify, and delete sensitive data stored within the databases. Furthermore, by leveraging remote code execution (CVE-2017-12636), attackers can execute arbitrary commands on the server with the privileges of the CouchDB process. While the exploit described in the source material shows code execution with the privileges of the “couchdb” user (uid=1000), it remains sufficient to achieve Remote Code Execution within the boundaries of the service permissions and further compromise the host system.

Recommendation

• Immediately upgrade Apache CouchDB to a secure version (≥ 1.7.1 or ≥ 2.1.1, recommended version 3.x) to patch CVE-2017-12635 and CVE-2017-12636.
• Configure require_valid_user = true in the local.ini configuration file to block all anonymous API access, mitigating CVE-2017-12635.
• Implement network segmentation to restrict access to port 5984 (CouchDB HTTP API) to only trusted IPs.
• Use config_whitelist in the local.ini file to restrict which configuration keys can be modified via the API, preventing attackers from leveraging the /_config/query_servers endpoint to inject OS commands, addressing CVE-2017-12636.