Home page logo

oss-sec logo oss-sec mailing list archives

MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now)
From: Solar Designer <solar () openwall com>
Date: Tue, 7 Jan 2014 08:08:17 +0400


While CFPs are not allowed in here, conference proceedings and
e-magazine issue announcements may be if they are relevant to Open
Source security.  Even though Hafez's posting reads a bit too much like
an ad (yet does not include e.g. a table of contents for the magazine
issue, which could have been helpful), the magazine does have some
relevant content:

On Tue, Jan 07, 2014 at 10:37:01AM +0800, Hafez Kamal wrote:
Download Issue #10 - http://magazine.hackinthebox.org/hitb-magazine.html

The MongoDB article is based on Mikhail Firstov's materials first
presented at ZeroNights 2012.  On page 26 of:


there is what was a minor zero-day back then (almost 14 months ago), and
which I'm afraid was never handled as such.  This is in part my fault,
as I dropped the ball on the e-mail exchange with Mikhail, trying to
turn this into a CVE request on oss-security.  I guess better late than
never, so:

There is a memory over-read bug that can be used by an authenticated
user (if applicable) to obtain raw MongoDB server process memory
contents via incorrect BSON object length.  I guess that under most
deployments this does not cross a security boundary, but for some it
could (differently-privileged MongoDB users, data already deleted from
the DB yet staying in process memory, or/and metadata that is not
normally retrievable).

I don't know if the bug has since been fixed or not, nor if it possibly
already has a CVE ID by now.

Here are some relevant URLs from November 2012:


In Russian:


I am Bcc'ing this to Mikhail.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]