[Reproduced works] MongoDB Unauthorized Access Vulnerability

MongoDB Unauthorized Access Vulnerability

Catalogue

1. mongodb安装2. 未授权访问漏洞3. 漏洞修复及加固4. 自动化检测点

1. MongoDB Installation

Apt-get Install MongoDB

0x1: Creating a database Directory

MongoDB data is stored in the DB directory in the database directory, but this directory is not created automatically during the installation process, so you need to create the data directory manually and create the DB directory in the data directory. /DATA/DB is the default startup database path for MongoDB (--dbpath)

mkdir -p /data/db

0x2: Run MongoDB service on the command line

Note: If your database directory is not/data/db, you can use--dbpath to specify

0x3:mongodb Background Management Shell

If you need to get into MongoDB background management, you need to first open the bin directory under the MongoDB directory and then execute the MONGO command file. The MongoDB Shell is an interactive JavaScript shell that comes with MongoDB and is used to manipulate and manage MongoDB. When you enter MongoDB background, it is linked to the test document (database) by default

[email protected]:~# mongoMongoDB shell version: 2.4.9connecting to: testWelcome to the MongoDB shell.For interactive help, type "help".For more comprehensive documentation, see    http://docs.mongodb.org/Questions? Try the support group    

Now let's insert some simple data and retrieve the inserted data

0x4:mongodb Web user interface

MongoDB provides a simple HTTP user interface. If you want to enable this feature, you need to specify the parameters at boot time--rest

./mongod --dbpath=/data/db --rest

MongoDB Web Interface Access port more than the port of service 1000 if your MongoDB run port uses the default of 27017, you can access the Web user interface at the port number 28017, that is, the address is: http://localhost:28017

Relevant Link:

http://www.runoob.com/mongodb/mongodb-linux-install.html

2. Unauthorized Access Vulnerability

When you open the MongoDB service without adding any parameters, the default is no permission authentication, the logged-on user can use the default port without a password to the database arbitrary operation (high-risk action) and remote access to the database

0x1: Cause of vulnerability

After the installation is complete, MongoDB has a default admin database, at this time the admin database is empty, there is no record permission-related information! When a user does not have a admin.system.users, even if Mongod is started with the-auth parameter added, if the user is not added to the admin database, no authentication can be done at this time, regardless of whether it is started with the-auth parameter, Until a user has been added to the admin.system.users. The core of the reinforcement is that after the user is added to the admin.system.users, the authentication of MongoDB will take effect.

Relevant Link:

https://www.secpulse.com/archives/27090.htmlhttp://webscan.360.cn/vul/view/vulid/3558

3. Bug fixes and reinforcement

0x1: Modifying the default port

Modify the default MongoDB port (default: TCP 27017) for other ports

0x2: Do not open to public network 0.0.0.0

vim /etc/mongodb.conf bind_ip = 127.0.0.1

Like Redis, MongoDB is best to only open local listening, at least not 0.0.0.0

0X3: Disabling HTTP and Rest ports

MongoDB itself comes with an HTTP service and supports the rest interface. After 2.6 These interfaces are turned off by default. MongoDB uses the default port to listen to Web services by default, and generally does not require web-based remote administration and recommends disabling. Modify the configuration file or select the –nohttpinterface parameter at startup Nohttpinterface = False

0x4: Turn on the log audit function

The audit function can be used to record all relevant actions of the user on the database. These records allow the system administrator to analyze what happened during the time the database was

0X5: Enable MongoDB authorization

Create a user in the admin database, such as supper password as SUP (here are examples, do not use this account password)

> use adminswitched to db admin> db.addUser("supper", "sup")  {    "user" : "supper",    "readOnly" : false,    "pwd" : "f4e451395b5b554788c796e5488573b2",    "_id" : ObjectId("586dfb12ad93a0064a40a3af")}> db.auth("supper","sup")1> exitbye

Modifying a configuration file

vim /etc/mongodb.conf auth = true

Relevant Link:

https://laravel-china.org/topics/328https://help.aliyun.com/knowledge_detail/37451.html

4. Automated inspection points

0x1: Detects if 127.0.0.1 is heard

Either in the config file or in the command line arguments, as long as the final result is not 127.0.0.1, it is considered unsafe.

--bind_ip 127.0.0.1orvim /etc/mongodb.conf bind_ip = 127.0.0.1

0x2: Detects if auth authentication is turned on

mongod --authorvim /etc/mongodb.conf auth = true

Via

[Reproduced Works]mongodb unauthorized Access vulnerability