New Module: Apache Couchdb

modules/vulnerabilities/unix/http/apache_couchdb/apache_couchdb.pp

@@ -0,0 +1,9 @@
+# begining of puppet code execution
+
+
+contain apache_couchdb::install
+contain apache_couchdb::couchdb 
+#contain apache_couchdb::configure
+ Class['apache_couchdb::install'] ->
+ Class['apache_couchdb::couchdb'] #->
+# Class['apache_couchdb::configure'] 

modules/vulnerabilities/unix/http/apache_couchdb/manifests/configure.pp

@@ -0,0 +1,37 @@
+class apache_couchdb::configure {
+	#$secgen_parameters=secgen_functions::get_parameters($::base64_inputs_file)
+	#$account = parsejson($secgen_params['account'][0])
+	$database = 'new_database' ##TODO secgen
+	$username = 'couchdb' ##TODO secgen
+	$password = 'password' ##TODO secgen
+	$jsondb = 'sampledata' ##TODO secgen
+	$strings_to_leak = ["this is a list of strings that are secrets / flags","another secret"]##$secgen_parameters['strings_to_leak']
+	$leaked_filenames = ["flagtest"]##$secgen_parameters['leaked_filenames']
+	$strings_to_preleak = ["preleak"]##$secgen_parameters['strings_to_pre_leak'], 
+
+	Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+	#create database 
+	exec { 'create-database':
+		command => "curl -X PUT http://localhost:34023/${database} -u \"${username}:${password}\"",
+		logoutput => true
+	}->
+	exec { 'import_data':
+        cwd=> '/usr/bin/',
+		command => "curl -d @${jsondb}.json -H \"Content-type: application/json\" -X POST http://127.0.0.1:34023/${database}/_bulk_docs -u \"${username}:${password}\"",
+		logoutput => true
+	}
+
+	# Leak strings in a text file in the users home directory
+	  # ::secgen_functions::leak_files { "$username-file-leak":
+		# storage_directory => "/home/${username}",
+		# leaked_filenames  => $leaked_filenames,
+		# strings_to_leak   => $strings_to_leak,
+		# owner             => ${username},
+		# group             => ${username},
+		# mode              => '0600',
+		# leaked_from       => "accounts_$username",
+	  # }
+
+
+}

modules/vulnerabilities/unix/http/apache_couchdb/manifests/couchdb.pp

@@ -0,0 +1,67 @@
+class apache_couchdb::couchdb {
+	#$secgen_parameters=secgen_functions::get_parameters($::base64_inputs_file)
+	#$account = parsejson($secgen_params['account'][0])
+	$username = 'couchdb' ##TODO secgen
+	$password = 'password' ##TODO secgen
+	$host ='127.0.0.1'
+	$docroot = '/opt/couchdb'
+	$database_dir = '/var/lib/couchdb'
+	$uid = fqdn_uuid('localhost.com')
+	$port =  '34023'
+
+
+	Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+	#create user
+	#create system user
+	::accounts::user { "${username}":
+		shell      => '/bin/bash',
+		ensure => present,
+		password   => pw_hash($password, 'SHA-512', 'mysalt'),
+	}->
+	#set folder permissions
+	exec { 'chown-couchdb':
+		command => "chown -R ${username}:${username} ${docroot}",
+		logoutput => true
+	}->
+	exec { 'chmod-couchdb':
+		command => "chmod -R 770 ${docroot}",
+		logoutput => true
+	}->
+
+
+	#configuration file
+	file { "${docroot}/etc/local.ini" :
+		 ensure => file,
+		 content => template("apache_couchdb/local.ini.erb"),
+	}->
+	# add vm.args files
+	file { "${docroot}/etc/vm.args":
+		ensure => file,
+		content => template("apache_couchdb/vm.args.erb"),
+		notify => Exec['restart-couchdb']
+
+	}
+
+	#restart couch db
+	exec {'restart-couchdb':
+		command => 'systemctl restart couchdb',
+		logoutput => true,
+		notify => Exec['wait-apache-couchdb']
+	}
+	exec { 'wait-apache-couchdb':
+		command => 'sleep 4',
+		logoutput => true,
+		notify => Exec['chown-uri-file'],
+	}
+	exec { 'chown-uri-file':
+		command => "chown -R ${username}:${username} /var/run/couchdb/",
+		logoutput => true,
+	}->
+	exec { 'chmod-uri-file':
+		command => "chmod -R 770 /var/run/couchdb/",
+		logoutput => true,
+	}
+
+
+
+}

modules/vulnerabilities/unix/http/apache_couchdb/manifests/install.pp

@@ -0,0 +1,32 @@
+class apache_couchdb::install {
+
+	$responsefile= 'installresponse'
+	$packagename = 'couchdb_3.2.1_buster_amd64'
+	$jsondb = 'sampledata'
+	ensure_packages(['build-essential','pkg-config', 'erlang','libicu-dev', 'libmozjs-60-dev','libcurl4-openssl-dev', 'gnupg'])
+	Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+
+	# copy archive 
+	file { "/usr/local/src/${packagename}.deb" :
+		ensure => file,
+		source => "puppet:///modules/apache_couchdb/${packagename}.deb",
+	}->
+	file { "/usr/bin/${responsefile}" :
+		 ensure => file,
+		 content => template("apache_couchdb/${responsefile}.erb"),
+	}->
+	file { "/usr/bin/${jsondb}.json" :
+		 ensure => file,
+		 content => template("apache_couchdb/${jsondb}.json"),
+	}->
+	#install couch db from deb file
+	package {'couchdb-install':
+	name  => "$packagename",
+	provider => dpkg,
+	source   => "/usr/local/src/${packagename}.deb",
+	responsefile =>  "${responsefile}",
+	}
+
+
+}

modules/vulnerabilities/unix/http/apache_couchdb/secgen_metadata.xml

@@ -0,0 +1,93 @@
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+
+<name>Apache CouchDB Unauthenticated RCE /name>
+  <author>Sofia Markusfeld</author>
+  <module_license>Apache</module_license>
+
+
+  <description>Apache CouchDB versions 3.2.1 and below default installation settings are vulnerable to an Earling RCE exploit.  
+  </description>
+
+  <type>remote</type>
+  <type></type>
+  <type></type>
+  <privilege></privilege>
+  <access>remote</access>
+  <platform>linux_apache_php</platform>
+  <difficulty>low</difficulty>
+
+
+   <read_fact>port</read_fact>
+   <read_fact>known_username</read_fact>
+    <read_fact>known_password</read_fact>
+   <read_fact>strings_to_leak</read_fact>
+     <read_fact>strings_to_preleak</read_fact>
+   <read_fact>leaked_filenames</read_fact>
+
+   <default_input into="port">
+		<value>34023</value>
+   </default_input>
+
+<!-- flags or other secrets exposed after exploitation -->
+  <default_input into="strings_to_leak">
+    <generator type="message_generator"/>
+  </default_input>
+    <default_input into="leaked_filenames">
+    <generator type="message_generator"/>
+  </default_input>
+
+
+
+    <!--optional vulnerability details-->
+  <!-- rce vuln -->
+  <cve>CVE-2022-24706</cve>
+
+
+      <cvss_base_score>9</cvss_base_score>
+  <cvss_vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</cvss_vector>
+  <reference>https://www.exploit-db.com/exploits/50914</reference>
+   <reference>https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/apache_couchdb_erlang_rce.rb</reference>
+  <software_name>Apache CouchDB</software_name>
+  <software_license>Apache</software_license>
+
+  <!--optional hints-->
+  <hint>This exploit is based off on 1F98D's Erlang Cookie - Remote Code Execution  </hint>
+
+
+  <conflict>
+    <type></type>
+  </conflict>
+
+
+  <requires>
+    <module_path>.*apache.*compatible.*</module_path>
+  </requires>
+
+  <requires>
+    <module_path>.*php.*compatible.*</module_path>
+  </requires>
+
+
+
+  <!-- CyBOK metadata - related security concepts / knowledge required -->
+
+    <CyBOK KA="WAM" topic="Fundamental Concepts and Approaches">
+    <keyword>authentication</keyword>
+    <keyword>passwords and alternatives</keyword>
+  </CyBOK>
+
+  <CyBOK KA="MAT" topic="Attacks and exploitation">
+    <keyword>EXPLOITATION</keyword>
+    <keyword>EXPLOITATION FRAMEWORKS</keyword>
+  </CyBOK>
+  <CyBOK KA="SS" topic="Categories of Vulnerabilities">
+    <keyword>CVEs and CWEs</keyword>
+  </CyBOK>
+  <CyBOK KA="SOIM" topic="PENETRATION TESTING">
+    <keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
+    <keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
+  </CyBOK>
+
+</vulnerability>

modules/vulnerabilities/unix/http/apache_couchdb/templates/installresponse.erb

@@ -0,0 +1,8 @@
+<%= @packagename %> couchdb/mode select standalone
+<%= @packagename %> couchdb/mode seen true
+<%= @packagename %> couchdb/bindaddress string 127.0.0.1
+<%= @packagename %> couchdb/bindaddress seen true
+<%= @packagename %> couchdb couchdb/adminpass password ${<%= @password %>}
+<%= @packagename %> couchdb couchdb/adminpass seen true
+<%= @packagename %> couchdb couchdb/adminpass_again password ${<%= @password %>}
+<%= @packagename %> couchdb couchdb/adminpass_again seen true

modules/vulnerabilities/unix/http/apache_couchdb/templates/local.ini

@@ -0,0 +1,95 @@
+; CouchDB Configuration Settings
+
+; Custom settings should be made in this file. They will override settings
+; in default.ini, but unlike changes made to default.ini, this file won't be
+; overwritten on server upgrade.
+
+[couchdb]
+max_document_size = 4294967296 ; bytes
+os_process_timeout = 5000
+
+[couch_peruser]
+; If enabled, couch_peruser ensures that a private per-user database
+; exists for each document in _users. These databases are writable only
+; by the corresponding user. Databases are in the following form:
+; userdb-{hex encoded username}
+;enable = true
+; If set to true and a user is deleted, the respective database gets
+; deleted as well.
+;delete_dbs = true
+; Set a default q value for peruser-created databases that is different from
+; cluster / q
+;q = 1
+
+[chttpd]
+port = 0
+bind_address = 127.0.0.1
+; Options for the MochiWeb HTTP server.
+;server_options = [{backlog, 128}, {acceptor_pool_size, 16}]
+; For more socket options, consult Erlang's module 'inet' man page.
+;socket_options = [{sndbuf, 262144}, {nodelay, true}]
+
+[httpd]
+; NOTE that this only configures the "backend" node-local port, not the
+; "frontend" clustered port. You probably don't want to change anything in
+; this section.
+; Uncomment next line to trigger basic-auth popup on unauthorized requests.
+;WWW-Authenticate = Basic realm="administrator"
+
+; Uncomment next line to set the configuration modification whitelist. Only
+; whitelisted values may be changed via the /_config URLs. To allow the admin
+; to change this value over HTTP, remember to include {httpd,config_whitelist}
+; itself. Excluding it from the list would require editing this file to update
+; the whitelist.
+;config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}]
+
+[chttpd_auth]
+; If you set this to true, you should also uncomment the WWW-Authenticate line
+; above. If you don't configure a WWW-Authenticate header, CouchDB will send
+; Basic realm="server" in order to prevent you getting logged out.
+ require_valid_user = false
+
+[ssl]
+;enable = true
+;cert_file = /full/path/to/server_cert.pem
+;key_file = /full/path/to/server_key.pem
+;password = somepassword
+; set to true to validate peer certificates
+;verify_ssl_certificates = false
+; Set to true to fail if the client does not send a certificate. Only used if verify_ssl_certificates is true.
+;fail_if_no_peer_cert = false
+; Path to file containing PEM encoded CA certificates (trusted
+; certificates used for verifying a peer certificate). May be omitted if
+; you do not want to verify the peer.
+;cacert_file = /full/path/to/cacertf
+; The verification fun (optional) if not specified, the default
+; verification fun will be used.
+;verify_fun = {Module, VerifyFun}
+; maximum peer certificate depth
+;ssl_certificate_max_depth = 1
+;
+; Reject renegotiations that do not live up to RFC 5746.
+;secure_renegotiate = true
+; The cipher suites that should be supported.
+; Can be specified in erlang format "{ecdhe_ecdsa,aes_128_cbc,sha256}"
+; or in OpenSSL format "ECDHE-ECDSA-AES128-SHA256".
+;ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]
+; The SSL/TLS versions to support
+;tls_versions = [tlsv1, 'tlsv1.1', 'tlsv1.2']
+
+; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to
+; the Virual Host will be redirected to the path. In the example below all requests
+; to http://example.com/ are redirected to /database.
+; If you run CouchDB on a specific port, include the port number in the vhost:
+; example.com:5984 = /database
+[vhosts]
+;example.com = /database/
+
+; To create an admin account uncomment the '[admins]' section below and add a
+; line in the format 'username = password'. When you next start CouchDB, it
+; will change the password to a hash (so that your passwords don't linger
+; around in plain-text files). You can add more admin accounts with more
+; 'username = password' lines. Don't forget to restart CouchDB after
+; changing this.
+[admins]
+admin = mysecretpassword