oss-sec mailing list archives
MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now)
From: Solar Designer <solar () openwall com>
Date: Tue, 7 Jan 2014 08:08:17 +0400
Hi, While CFPs are not allowed in here, conference proceedings and e-magazine issue announcements may be if they are relevant to Open Source security. Even though Hafez's posting reads a bit too much like an ad (yet does not include e.g. a table of contents for the magazine issue, which could have been helpful), the magazine does have some relevant content: On Tue, Jan 07, 2014 at 10:37:01AM +0800, Hafez Kamal wrote:
Download Issue #10 - http://magazine.hackinthebox.org/hitb-magazine.html
The MongoDB article is based on Mikhail Firstov's materials first presented at ZeroNights 2012. On page 26 of: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-010.pdf there is what was a minor zero-day back then (almost 14 months ago), and which I'm afraid was never handled as such. This is in part my fault, as I dropped the ball on the e-mail exchange with Mikhail, trying to turn this into a CVE request on oss-security. I guess better late than never, so: There is a memory over-read bug that can be used by an authenticated user (if applicable) to obtain raw MongoDB server process memory contents via incorrect BSON object length. I guess that under most deployments this does not cross a security boundary, but for some it could (differently-privileged MongoDB users, data already deleted from the DB yet staying in process memory, or/and metadata that is not normally retrievable). I don't know if the bug has since been fixed or not, nor if it possibly already has a CVE ID by now. Here are some relevant URLs from November 2012: http://blog.ptsecurity.com/2012/11/attacking-mongodb.html http://www.slideshare.net/cyber-punk/mongo-db-eng https://github.com/cyberpunkych/attacking_mongodb In Russian: http://blog.ptsecurity.ru/2012/11/mongo-db.html http://www.slideshare.net/cyber-punk/attacking-mongodb I am Bcc'ing this to Mikhail. Alexander
Current thread:
- [HITB-Announce] HITB Magazine Issue 10 Out Now Hafez Kamal (Jan 06)
- MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now) Solar Designer (Jan 06)