search
πŸ“œ MediumπŸ›’ My ShopπŸ‘Ύ GithubπŸ“© Telegram πŸ“Ί YouTubeβœ– Twitter

CouchDB - Port 5984,6984

hashtag
Basic info

CouchDB is A document-oriented, schema-less NoSQL database where every β€œdocument” is just JSON.

Internally, CouchDB stores:

Field
Meaning

_id

The document’s unique identifier

_rev

Revision number (tracks changes)

Documents can contain key-value mappings, nested maps, or lists. Everything is accessed through HTTP REST APIs β€” not drivers.

hashtag
Default Ports

Port
Protocol
Purpose

5984

HTTP

Public API

6984

HTTPS

Public API

5986

Internal

Node-local API

4369

TCP

Erlang Port Mapper Daemon (EPMD) β€” extremely important for RCE

And if you see port 4369 (EPMD) β†’ your hacker senses should start tingling. (More on that later.)

hashtag
Automatic Enumeration

hashtag
Nmap

hashtag
Metasploit

hashtag
Manual Enumeration (Must-Know for Real Pentesters)

hashtag
Check if CouchDB is reachable

Possible outputs:

Unauthenticated access allowed:

Authentication required:

If you see 401, you’ll need creds or an exploit.

hashtag
High-Value Endpoints Hackers Should Always Check

These endpoints typically reveal database names, cluster metadata, and replication details β€” sometimes containing API keys, JWT secrets, production credentials, or remote cluster URLs.

Endpoint
What It Reveals

/_active_tasks

Replication, indexing jobs, DB names

/_all_dbs

All database names (usually the jackpot)

/_cluster_setup

Cluster configuration

/_db_updates

Real-time database creation events

/_membership

Cluster nodes

/_scheduler/jobs

Replication dag + credentials

/_node/_local/_stats

System info

/_up

Basic health check

/_uuids

UUID generation

/_reshard

Shard operations

Use:

If 401:

hashtag
Extracting Databases, Documents & Credentials

hashtag
List databases

Example:

hashtag
Show DB metadata

hashtag
List documents

hashtag
Read a document

At this point, in real pentests, you often find:

βœ” API keys βœ” Auth tokens βœ” Password databases βœ” Backups βœ” Internal cluster secrets βœ” User PII

hashtag
Exploitation Techniques

CouchDB has had multiple high-impact CVEs, many still found in the wild.

hashtag
CVE-2017-12635 β€” Create an Admin User Without Authentication

This is the most famous and most dangerous CouchDB vulnerability ever discovered.

hashtag
🧠 Why it works

CouchDB parses JSON twice β€” once in Erlang, once in JavaScript.

If you send two fields with the same key, the Erlang parser keeps both, but the JS parser keeps only the last.

Meaning this payload:

β†’ Erlang sees roles=["_admin"] β†’ JS sees roles=[]

CouchDB incorrectly grants admin privileges.

hashtag
Exploit:

You now have admin control of the entire server.

hashtag
CVE-2018-8007 β€” RCE via local.ini write injection (OS Daemons)

If an attacker can write to local.ini (misconfigured perms), they can register system daemons to be executed by CouchDB.

Injection example:

Then:

CouchDB restarts β†’ executes /usr/bin/touch /tmp/pwned.

This is full OS command execution.

hashtag
CVE-2017-12636 β€” RCE via malicious query server definitions

CouchDB allows admins to define query servers, e.g.:

But if you can write:

You can trigger it by creating a view that calls the query server.

Example exploitation flow:

Boom β†’ command execution.

hashtag
Erlang Cookie RCE (Not a CVE β€” but extremely real)

If port 4369 (EPMD) is open AND you can read the Erlang cookie file (usually .erlang.cookie), you can:

βœ” Join the CouchDB cluster βœ” Execute arbitrary Erlang code βœ” Spawn remote shells βœ” Dump secrets βœ” Control the entire node

This is a full cluster compromise.

Erlang cookies are commonly found in:

If readable β†’ game over.

hashtag
Practical Real-World Attack Chains

hashtag
Attack Chain 1:

hashtag
Unauthenticated CouchDB + Exposed _all_dbs β†’ Secrets β†’ Lateral Movement

  1. Access /_all_dbs

  2. Dump _replicator DB

  3. Replication tasks often include remote credentials

  4. Use creds to pivot into AWS, GitLab, MongoDB, etc.

hashtag
Attack Chain 2:

hashtag
CVE-2017-12635 Admin Creation β†’ Query Server RCE β†’ Reverse Shell

  1. Create admin user (CVE-2017-12635)

  2. Add malicious query server

  3. Trigger RCE via design document

  4. Send reverse shell payload

  5. Full system compromise

hashtag
Attack Chain 3:

hashtag
Misconfigured local.ini β†’ CouchDB Daemon Injection (CVE-2018-8007) β†’ Privilege escalation

  1. Write to /home/*/etc/local.ini

  2. Inject [os_daemons]

  3. Restart CouchDB β†’ execute payload

  4. Gain local user’s privileges

  5. Escalate via sudo misconfig or cron jobs

hashtag
Attack Chain 4:

hashtag
Erlang Cookie Leakage β†’ Cluster Takeover

  1. Access .erlang.cookie (world-readable)

  2. Connect to EPMD node

  3. Execute arbitrary Erlang commands

  4. RCE without touching CouchDB API

  5. Persist via erlang shell

This is extremely powerful and still commonly found.

hashtag
Defending CouchDB (What Blue Teams Must Fix)

βœ” Disable remote access to 5984 unless behind firewall βœ” Block port 4369 (EPMD) externally βœ” Do NOT allow world-writable local.ini βœ” Upgrade from vulnerable versions:

  • 1.x

  • 2.x pre-2.2 βœ” Enforce authentication (require_valid_user = true) βœ” Disable _session cookie if not needed βœ” Disable CORS unless required βœ” Rotate Erlang cookie after compromise βœ” Disable default admin/admin accounts

hashtag
Cheat Sheet Summary for Pentesters

hashtag
Enumeration

hashtag
CVE-2017-12635 Admin Creation

hashtag
CVE-2017-12636 / Query Server RCE

hashtag
CVE-2018-8007 OS Daemon Injection

hashtag
Erlang Cookie RCE

Look for .erlang.cookie + port 4369 open.

circle-check

Learn & practice For the Bug Bountyarrow-up-right

chevron-rightSupport VeryLazyTech πŸŽ‰hashtag
PreviousVNC - Port 5800/5801/5900/5901NextWinRM - Port 5985, 5986

Last updated