From b1a2bb33894932b17c5d992e33eaf8359e9ad5d9 Mon Sep 17 00:00:00 2001
From: "Z. Cliffe Schreuders" <code.cliffe@schreuders.org>
Date: Thu, 20 Apr 2023 16:25:20 +0100
Subject: [PATCH] tidy and updates #267 couchdb

---
 .../apache_couchdb/manifests/configure.pp     | 15 ++------
 .../http/apache_couchdb/manifests/couchdb.pp  |  5 ++-
 .../http/apache_couchdb/manifests/install.pp  |  4 +--
 .../http/apache_couchdb/secgen_metadata.xml   | 34 ++++++++++++-------
 4 files changed, 27 insertions(+), 31 deletions(-)

diff --git a/modules/vulnerabilities/unix/http/apache_couchdb/manifests/configure.pp b/modules/vulnerabilities/unix/http/apache_couchdb/manifests/configure.pp
index 866e6fe4b..7fd88f804 100644
--- a/modules/vulnerabilities/unix/http/apache_couchdb/manifests/configure.pp
+++ b/modules/vulnerabilities/unix/http/apache_couchdb/manifests/configure.pp
@@ -1,8 +1,8 @@
 class apache_couchdb::configure {
   $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
   $database = 'couchdb'
-  $user = $secgen_parameters['leaked_username'][0]
-  $password = $secgen_parameters['leaked_password'][0]
+  $user = $secgen_parameters['unix_username'][0]
+  $password = $secgen_parameters['used_password'][0]
   $jsondb = 'sampledata' ##TODO secgen
   $strings_to_leak = $secgen_parameters['strings_to_leak']
   $leaked_filenames = $secgen_parameters['leaked_filenames']
@@ -10,17 +10,6 @@ class apache_couchdb::configure {
 
   Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
 
-  #create database 
-  #exec { 'create-database':
-  #	command => "curl -X PUT http://localhost:34023/${database} -u \"${username}:${password}\"",
-  #	logoutput => true
-  #}->
-  #exec { 'import_data':
-  #  cwd=> '/usr/bin/',
-  #	command => "curl -d @${jsondb}.json -H \"Content-type: application/json\" -X POST http://127.0.0.1:34023/${database}/_bulk_docs -u \"${username}:${password}\"",
-  #	logoutput => true
-  #}
-
   ::secgen_functions::leak_files { 'couchdb-flag-leak':
     storage_directory => $user_home,
     leaked_filenames  => $leaked_filenames,
diff --git a/modules/vulnerabilities/unix/http/apache_couchdb/manifests/couchdb.pp b/modules/vulnerabilities/unix/http/apache_couchdb/manifests/couchdb.pp
index 518d59366..512c4ec59 100644
--- a/modules/vulnerabilities/unix/http/apache_couchdb/manifests/couchdb.pp
+++ b/modules/vulnerabilities/unix/http/apache_couchdb/manifests/couchdb.pp
@@ -1,7 +1,7 @@
 class apache_couchdb::couchdb {
   $secgen_parameters=secgen_functions::get_parameters($::base64_inputs_file)
-  $username = $secgen_parameters['leaked_username'][0]
-  $password = $secgen_parameters['leaked_password'][0]
+  $username = $secgen_parameters['unix_username'][0]
+  $password = $secgen_parameters['used_password'][0]
   $host ='127.0.0.1'
   $docroot = '/opt/couchdb'
   $database_dir = '/var/lib/couchdb'
@@ -64,4 +64,3 @@ class apache_couchdb::couchdb {
     flags   => '-port 1337',
   }
 }
-
diff --git a/modules/vulnerabilities/unix/http/apache_couchdb/manifests/install.pp b/modules/vulnerabilities/unix/http/apache_couchdb/manifests/install.pp
index 298088377..45d3109c0 100644
--- a/modules/vulnerabilities/unix/http/apache_couchdb/manifests/install.pp
+++ b/modules/vulnerabilities/unix/http/apache_couchdb/manifests/install.pp
@@ -3,7 +3,7 @@ class apache_couchdb::install {
   $responsefile = 'installresponse'
   $packagename = 'couchdb_3.2.1_buster_amd64'
   $jsondb = 'sampledata.json'
-  $password = $secgen_parameters['leaked_password'][0]
+  $password = $secgen_parameters['used_password'][0]
 
   Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
 
@@ -15,7 +15,7 @@ class apache_couchdb::install {
   'libcurl4-openssl-dev',
   'gnupg'])
 
-  # copy archive 
+  # copy archive
   file { "/usr/local/src/${packagename}.deb" :
     ensure => file,
     source => "puppet:///modules/apache_couchdb/${packagename}.deb",
diff --git a/modules/vulnerabilities/unix/http/apache_couchdb/secgen_metadata.xml b/modules/vulnerabilities/unix/http/apache_couchdb/secgen_metadata.xml
index 597a781ce..fa596d11e 100644
--- a/modules/vulnerabilities/unix/http/apache_couchdb/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/http/apache_couchdb/secgen_metadata.xml
@@ -18,11 +18,9 @@
   <difficulty>low</difficulty>
 
   <read_fact>port</read_fact>
-  <read_fact>known_username</read_fact>
-  <read_fact>known_password</read_fact>
   <read_fact>strings_to_leak</read_fact>
-  <read_fact>strings_to_preleak</read_fact>
   <read_fact>leaked_filenames</read_fact>
+  <read_fact>unix_username</read_fact>
 
   <default_input into="port">
     <generator type="random_number_generator" />
@@ -37,16 +35,15 @@
     <generator type="filename_generator" />
   </default_input>
 
-  <default_input into="leaked_username">
+  <default_input into="unix_username">
     <value>couchdb</value>
   </default_input>
 
-  <default_input into="leaked_password">
+  <default_input into="used_password">
     <generator type="password_generator" />
   </default_input>
 
-  <!--optional
-  vulnerability details-->
+  <!--optional vulnerability details-->
   <!-- rce vuln -->
   <cve>CVE-2022-24706</cve>
   <cvss_base_score>9</cvss_base_score>
@@ -57,15 +54,26 @@
   <software_name>Apache CouchDB</software_name>
   <software_license>Apache</software_license>
 
-  <!--optional
-  hints-->
+  <!--optional hints-->
   <hint>This exploit is based off on 1F98D's Erlang Cookie - Remote Code Execution </hint>
 
   <requires>
     <type>update</type>
   </requires>
-  <!--<requires>
-    <module_path>.*apache.*compatible.*</module_path>
-  </requires>-->
 
-</vulnerability>
\ No newline at end of file
+  <CyBOK KA="WAM" topic="Server-Side Vulnerabilities and Mitigations">
+    <keyword>server-side misconfiguration and vulnerable components</keyword>
+    <keyword>Vulnerable defaults</keyword>
+  </CyBOK>
+  <CyBOK KA="MAT" topic="Attacks and exploitation">
+    <keyword>EXPLOITATION</keyword>
+    <keyword>EXPLOITATION FRAMEWORKS</keyword>
+  </CyBOK>
+  <CyBOK KA="SS" topic="Categories of Vulnerabilities">
+    <keyword>CVEs and CWEs</keyword>
+  </CyBOK>
+  <CyBOK KA="SOIM" topic="PENETRATION TESTING">
+    <keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
+    <keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
+  </CyBOK>
+</vulnerability>