CouchDB - Port 5984,6984

Basic info

CouchDB is A document-oriented, schema-less NoSQL database where every “document” is just JSON.

Internally, CouchDB stores:

Documents can contain key-value mappings, nested maps, or lists. Everything is accessed through HTTP REST APIs — not drivers.

Default Ports

And if you see port 4369 (EPMD) → your hacker senses should start tingling. (More on that later.)

Automatic Enumeration

Nmap

Metasploit

Manual Enumeration (Must-Know for Real Pentesters)

Check if CouchDB is reachable

Possible outputs:

Unauthenticated access allowed:

Authentication required:

If you see 401, you’ll need creds or an exploit.

High-Value Endpoints Hackers Should Always Check

These endpoints typically reveal database names, cluster metadata, and replication details — sometimes containing API keys, JWT secrets, production credentials, or remote cluster URLs.

Use:

If 401:

Extracting Databases, Documents & Credentials

List databases

Example:

Show DB metadata

List documents

Read a document

At this point, in real pentests, you often find:

✔ API keys ✔ Auth tokens ✔ Password databases ✔ Backups ✔ Internal cluster secrets ✔ User PII

Exploitation Techniques

CouchDB has had multiple high-impact CVEs, many still found in the wild.

CVE-2017-12635 — Create an Admin User Without Authentication

This is the most famous and most dangerous CouchDB vulnerability ever discovered.

🧠 Why it works

CouchDB parses JSON twice — once in Erlang, once in JavaScript.

If you send two fields with the same key, the Erlang parser keeps both, but the JS parser keeps only the last.

Meaning this payload:

→ Erlang sees roles=["_admin"] → JS sees roles=[]

CouchDB incorrectly grants admin privileges.

Exploit:

You now have admin control of the entire server.

CVE-2018-8007 — RCE via local.ini write injection (OS Daemons)

If an attacker can write to local.ini (misconfigured perms), they can register system daemons to be executed by CouchDB.

Injection example:

Then:

CouchDB restarts → executes /usr/bin/touch /tmp/pwned.

This is full OS command execution.

CVE-2017-12636 — RCE via malicious query server definitions

CouchDB allows admins to define query servers, e.g.:

But if you can write:

You can trigger it by creating a view that calls the query server.

Example exploitation flow:

Boom → command execution.

Erlang Cookie RCE (Not a CVE — but extremely real)

If port 4369 (EPMD) is open AND you can read the Erlang cookie file (usually .erlang.cookie), you can:

✔ Join the CouchDB cluster ✔ Execute arbitrary Erlang code ✔ Spawn remote shells ✔ Dump secrets ✔ Control the entire node

This is a full cluster compromise.

Erlang cookies are commonly found in:

If readable → game over.

Practical Real-World Attack Chains

Attack Chain 1:

Unauthenticated CouchDB + Exposed _all_dbs → Secrets → Lateral Movement

1. Access /_all_dbs

2. Dump _replicator DB

3. Replication tasks often include remote credentials

4. Use creds to pivot into AWS, GitLab, MongoDB, etc.

Attack Chain 2:

CVE-2017-12635 Admin Creation → Query Server RCE → Reverse Shell

1. Create admin user (CVE-2017-12635)

2. Add malicious query server

3. Trigger RCE via design document

4. Send reverse shell payload

5. Full system compromise

Attack Chain 3:

Misconfigured local.ini → CouchDB Daemon Injection (CVE-2018-8007) → Privilege escalation

1. Write to /home/*/etc/local.ini

2. Inject [os_daemons]

3. Restart CouchDB → execute payload

4. Gain local user’s privileges

5. Escalate via sudo misconfig or cron jobs

Attack Chain 4:

Erlang Cookie Leakage → Cluster Takeover

1. Access .erlang.cookie (world-readable)

2. Connect to EPMD node

3. Execute arbitrary Erlang commands

4. RCE without touching CouchDB API

5. Persist via erlang shell

This is extremely powerful and still commonly found.

Defending CouchDB (What Blue Teams Must Fix)

✔ Disable remote access to 5984 unless behind firewall ✔ Block port 4369 (EPMD) externally ✔ Do NOT allow world-writable local.ini ✔ Upgrade from vulnerable versions:

• 1.x

• 2.x pre-2.2 ✔ Enforce authentication (require_valid_user = true) ✔ Disable _session cookie if not needed ✔ Disable CORS unless required ✔ Rotate Erlang cookie after compromise ✔ Disable default admin/admin accounts

Cheat Sheet Summary for Pentesters

Enumeration

CVE-2017-12635 Admin Creation

CVE-2017-12636 / Query Server RCE

CVE-2018-8007 OS Daemon Injection

Erlang Cookie RCE

Look for .erlang.cookie + port 4369 open.