CouchDB, Erlang and cookies — RCE on default settings
In this short write-up, I want to share how to get RCE on a system with CouchDB installed on most installations on a local network or external network that are not behind a firewall. For reference, in Shodan there were about one and a half thousand of them.
TL;DR: At the end of the article there are links and methods of operation.
Intro
Apache CouchDB is an open-source document-oriented NoSQL database, implemented in Erlang (Wiki).
I found out about the existence of CouchDB not so long ago, during the preparation of a security product of a South Korean company (spoiler — I found a lot of interesting things, preparing an article now). At first I thought that the developers did not know the software from which they assembled their “product” to protect other companies from cybersecurity threats, but it turned out that this is a common problem.
Like any program written in Erlang, CouchDB has built-in support for distributed computing (clustering). The cluster nodes communicate using the Erlang/OTP Distribution Protocol, which provides for the possibility of executing OS commands request:
Of course, to connect you need to know the secret phrase — “cookie” in Erlang terminology. This phrase is stored either in the .erlang.cookie file or in vm.args in the directory with the program. In the case of CouchDB, this is the file /opt/couchdb/etc/vm.args
The CouchDB installer leaves the default cookie value even when installed in Standalone mode — monster.
It would seem that it’s okay, take it and change this “password” by default, but the problem is that the administrator may not be aware of this functionality. After all, the information that you need to change the cookie is only in the manual on the site in the section with cluster settings:
And this is not my speculation — from one and a half thousand hosts on shodan.io during a random check, I did not stumble upon CouchDB, whose administrator saw this warning. Moreover, the creators of the “security” product I wrote about above are also among them.
In other words, if you stumble upon a CouchDB host on your own or a customer’s network, it is likely to be vulnerable.
Enumeration
In order to connect to an Erlang host, you need to know the node’s dynamic port. Erlang Port Mapper Daemon is responsible for its detection. You can ask daemon for information about the nodes in several ways.
By sending three bytes directly to the tcp/4369 daemon port:
echo -n -e “\x00\x01\x6e” | nc -vn <IP> 4369
Or using the nmap scanner:
nmap -sV -Pn -n -T4 -p 4369 --script epmd-info <IP>
Exploitation
To connect, you need access to the EPMD TCP port (tcp/4369) and to the port of the node itself, which is usually chosen at random.
There are several ways for your choice:
- Metasploit module “erlang_cookie_rce”;
- Several scripts available in Google;
- My python script at https://github.com/sadshade/erlang-otp-rce.
Based on the 1F98D’s script , I added an automatic request for information from EPMD:
By the way, using the standard Erlang erl emulator to connect to CouchDB will not work, since you need to specify the node name in the format name@host.fqdn, and it is couchdb@127.0.0.1 by default. Probably the developers of CouchDB considered this a reliable way to protect.
Remediation
You can just upgrade to 3.2.2 or fix it manualy. Fixing this problem is quite simple, you need to replace the default cookie with something else in the file /opt/couchdb/etc/vm.args
This one-liner, run as superuser, should do all the work:
COOKIE=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c32);\ sed -i "s/-setcookie\ monster/-setcookie\ ${COOKIE}/g"\ /opt/couchdb/etc/vm.argsThen you need to restart the CouchDB daemon.
Summary
I hope this article will be useful and help someone improve the security of their systems, and someone to take another flag. The ChouchDB team took care of the current installations and released the fix 3.2.2 version. When updating, the installer will require a cookie to be changed.
Additional links for information on the topic:
Originally published by me at https://habr.com on April 18, 2022.
