Date: Tue, 7 Jan 2014 08:08:17 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now) Hi, While CFPs are not allowed in here, conference proceedings and e-magazine issue announcements may be if they are relevant to Open Source security. Even though Hafez's posting reads a bit too much like an ad (yet does not include e.g. a table of contents for the magazine issue, which could have been helpful), the magazine does have some relevant content: On Tue, Jan 07, 2014 at 10:37:01AM +0800, Hafez Kamal wrote: > Download Issue #10 - http://magazine.hackinthebox.org/hitb-magazine.html The MongoDB article is based on Mikhail Firstov's materials first presented at ZeroNights 2012. On page 26 of: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-010.pdf there is what was a minor zero-day back then (almost 14 months ago), and which I'm afraid was never handled as such. This is in part my fault, as I dropped the ball on the e-mail exchange with Mikhail, trying to turn this into a CVE request on oss-security. I guess better late than never, so: There is a memory over-read bug that can be used by an authenticated user (if applicable) to obtain raw MongoDB server process memory contents via incorrect BSON object length. I guess that under most deployments this does not cross a security boundary, but for some it could (differently-privileged MongoDB users, data already deleted from the DB yet staying in process memory, or/and metadata that is not normally retrievable). I don't know if the bug has since been fixed or not, nor if it possibly already has a CVE ID by now. Here are some relevant URLs from November 2012: http://blog.ptsecurity.com/2012/11/attacking-mongodb.html http://www.slideshare.net/cyber-punk/mongo-db-eng https://github.com/cyberpunkych/attacking_mongodb In Russian: http://blog.ptsecurity.ru/2012/11/mongo-db.html http://www.slideshare.net/cyber-punk/attacking-mongodb I am Bcc'ing this to Mikhail. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ