Skip to content

Fix false positive on couchdb enum check#21346

Open
adfoster-r7 wants to merge 1 commit intorapid7:masterfrom
adfoster-r7:fix-false-positive-on-couchdb-enum-check
Open

Fix false positive on couchdb enum check#21346
adfoster-r7 wants to merge 1 commit intorapid7:masterfrom
adfoster-r7:fix-false-positive-on-couchdb-enum-check

Conversation

@adfoster-r7
Copy link
Copy Markdown
Contributor

@adfoster-r7 adfoster-r7 commented Apr 21, 2026

Fix false positive on couchdb enum check

msf auxiliary(scanner/couchdb/couchdb_enum) > check 10.140.106.183 rport=8080 httptrace=true
####################
# Request:
####################
GET / HTTP/1.1
Host: 10.140.106.183:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
####################
# Response:
####################
HTTP/1.1 404 Not Found
Date: Tue, 21 Apr 2026 15:24:18 GMT
Content-Type: text/html
Content-Length: 795
Server: Jetty(8.1.7.v20120910)
<HTML>
<HEAD>
<TITLE>Error 404 - Not Found</TITLE>
<BODY>
<H2>Error 404 - Not Found.</H2>
No context on this server matched or handled this request.<BR>Contexts known to this server are: <ul><li><a href="/continuum">/continuum&nbsp;--->&nbsp;o.e.j.w.WebAppContext{/continuum,file:/opt/apache_continuum/apache-continuum-1.4.2/apps/continuum/},./apps/continuum</a></li>
<!-- Padding for IE                  -->
<!-- Padding for IE                  -->
<!-- Padding for IE                  -->
<!-- Padding for IE                  -->
<!-- Padding for IE                  -->
<!-- Padding for IE                  -->
<!-- Padding for IE                  -->
<!-- Padding for IE                  -->
<!-- Padding for IE                  -->
<!-- Padding for IE                  -->
</BODY>
</HTML>
[+] 10.140.106.183:8080 - The target appears to be vulnerable.
msf auxiliary(scanner/couchdb/couchdb_enum) > 

Verification

Against not vulnerable, working as expected:

msf auxiliary(scanner/couchdb/couchdb_enum) > check 10.140.106.183 rport=8080
[*] 10.140.106.183:8080 - Cannot reliably check exploitability.

Against vulnerable (docker run -p 5984:5984 couchdb:1.6.1) - working as expected:

msf auxiliary(scanner/couchdb/couchdb_enum) > check 127.0.0.1 httptrace=true
####################
# Request:
####################
GET / HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
####################
# Response:
####################
HTTP/1.1 200 OK
Server: CouchDB/1.6.1 (Erlang OTP/17)
Date: Tue, 21 Apr 2026 15:31:35 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 151
Cache-Control: must-revalidate
{"couchdb":"Welcome","uuid":"a7e82208122cb03efb9a1c5812bb97ba","version":"1.6.1","vendor":{"version":"1.6.1","name":"The Apache Software Foundation"}}
[+] 127.0.0.1:5984 - The target appears to be vulnerable.
msf auxiliary(scanner/couchdb/couchdb_enum) > run 127.0.0.1 httptrace=true
[*] Running module against 127.0.0.1
####################
# Request:
####################
GET /_all_dbs HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
####################
# Response:
####################
HTTP/1.1 200 OK
Server: CouchDB/1.6.1 (Erlang OTP/17)
Date: Tue, 21 Apr 2026 15:31:37 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 25
Cache-Control: must-revalidate
["_replicator","_users"]
[*] 127.0.0.1:5984 - Enumerating Databases...
[+] 127.0.0.1:5984 - Databases:
[
  "_replicator",
  "_users"
]
[+] 127.0.0.1:5984 - File saved in: /Users/adfoster/.msf4/loot/20260421163137_default_127.0.0.1_couchdb.enum_522335.bin
####################
# Request:
####################
GET /_all_dbs/_replicator/_all_docs?include_docs=true&attachments=true HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Authorization: Basic d0RrTHJKdGFPZWRxOnFHVHJMTnVRelFoTg==
####################
# Response:
####################
HTTP/1.1 401 Unauthorized
Server: CouchDB/1.6.1 (Erlang OTP/17)
Date: Tue, 21 Apr 2026 15:31:37 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 67
Cache-Control: must-revalidate
{"error":"unauthorized","reason":"Name or password is incorrect."}
[-] 127.0.0.1:5984 - Error retrieving database. Consider providing credentials or setting CREATEUSER and rerunning.
[*] Auxiliary module execution completed
msf auxiliary(scanner/couchdb/couchdb_enum) > 

@adfoster-r7 adfoster-r7 requested a review from Copilot April 21, 2026 15:38
@adfoster-r7 adfoster-r7 marked this pull request as draft April 21, 2026 15:38
Copilot AI reviewed Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens CouchDB detection in couchdb_enum to avoid false positives during check when the target returns non-CouchDB responses (e.g., generic 404 HTML pages).

Changes:

  • Make get_version fail closed unless the root endpoint returns HTTP 200.
  • Validate that the parsed JSON looks like CouchDB (expects a couchdb key) before accepting it.
  • Require a parsed version value before reporting a successful version fetch.

Comment thread modules/auxiliary/scanner/couchdb/couchdb_enum.rb Outdated
@adfoster-r7 adfoster-r7 force-pushed the fix-false-positive-on-couchdb-enum-check branch from cdd96c7 to 6e992aa Compare April 21, 2026 21:48
@adfoster-r7 adfoster-r7 marked this pull request as ready for review April 22, 2026 01:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@adfoster-r7 @smcintyre-r7