Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 7 Jan 2014 08:08:17 +0400
From: Solar Designer <>
Subject: MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now)


While CFPs are not allowed in here, conference proceedings and
e-magazine issue announcements may be if they are relevant to Open
Source security.  Even though Hafez's posting reads a bit too much like
an ad (yet does not include e.g. a table of contents for the magazine
issue, which could have been helpful), the magazine does have some
relevant content:

On Tue, Jan 07, 2014 at 10:37:01AM +0800, Hafez Kamal wrote:
> Download Issue #10 -

The MongoDB article is based on Mikhail Firstov's materials first
presented at ZeroNights 2012.  On page 26 of:

there is what was a minor zero-day back then (almost 14 months ago), and
which I'm afraid was never handled as such.  This is in part my fault,
as I dropped the ball on the e-mail exchange with Mikhail, trying to
turn this into a CVE request on oss-security.  I guess better late than
never, so:

There is a memory over-read bug that can be used by an authenticated
user (if applicable) to obtain raw MongoDB server process memory
contents via incorrect BSON object length.  I guess that under most
deployments this does not cross a security boundary, but for some it
could (differently-privileged MongoDB users, data already deleted from
the DB yet staying in process memory, or/and metadata that is not
normally retrievable).

I don't know if the bug has since been fixed or not, nor if it possibly
already has a CVE ID by now.

Here are some relevant URLs from November 2012:

In Russian:

I am Bcc'ing this to Mikhail.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ