WingNews logo WingNews GitHub [2]
top | item 5450145

MongoDB remote command execution vulnerability: nightmare or eye opener?

70 points| ehsanf | 13 years ago |blog.sdelements.com | reply

25 comments

order
[+] sehrope|13 years ago|reply
Having your DB server (regardless of type) exposed to the entire internet is a bad idea but that's not the real problem here (it just makes this really scary for people running wide open MongoDB instances). This is a lack of validation of client inputs by the server itself and (in my opinion) a dangerous default choice of trusting your client.

Most DBs allow something similar to this though it's generally locked down by default.

For PostgreSQL you can do it via untrusted languages though by default only super users can use those: http://www.postgresql.org/docs/9.1/static/plperl-trusted.htm...

For Oracle here's a bunch of ways to accomplish the same thing though again, by default, all are blocked for non-DBA users: http://asktom.oracle.com/pls/apex/f?p=100:11:0::::P11_QUESTI...

Note that there are some times when it's useful to be able to execute misc things like this. About 6 or 7 years back I wrote something on Oracle that would execute shell commands to get iostat/vmstat output and save it on regular intervals. Could have been done from outside in (data gets pushed from unix => DB) but having it initiated by the DB itself let us control when it runs based on DB actions (triggers, DBMS_JOBs, etc). To get that setup though we had to whitelist the executables we were calling as by default on Oracle everything is blocked. It's not a common thing to do and I think it's sensible that things like that should be locked down by default.

[+] optymizer|13 years ago|reply
This relies on javascript to be passed to $where. There is no excuse for not sanitizing your inputs.
[+] ajross|13 years ago|reply
The same thing could be said of SQL injection attacks, yet...
[+] abentspoon|13 years ago|reply
Thanks to $elemMatch and automatic parameter parsing, this vulnerability is easier to exploit than it would seem.

In rails, both of these are usually considered safe:

    MysqlCollection.create(:name => params[:name])
    MysqlCollection.where(:name => params[:name]).all

    MongoCollection.create(:name => params[:name])
    MongoCollection.where(:name => params[:name]).all
However, the mongo version is vulnerable to this exploit.

    /create?name[0][whatever]=anything
    /get?name[$elemMatch][$where]=exploitcode
[+] cheald|13 years ago|reply
Per usual, even if you're using something that isn't Mongo, it's good practice to explicitly cast your untrusted params before passing them to a query.

    MongoCollection.where(:name => params[:name].to_s)
That'll result in the literal:

    db.collection.where({name: "{\"$elemMatch\"=>{\"$where\"=>\"exploit\"}}"})
rather than the more exploity:

    db.collection.where({name: {$elemMatch:{$where: "exploit"}}})
Failing to cast params to strings can result in "injection" attacks in Mongo, even outside of the context of this bug. For example:

   User.where(:id => params[:id])
You could pass id[$gt]=0, resulting in:

   User.where(:id => {:$gt => 0})
which would match all records in the database.

For completeness' sake, here's a similar exploit vector in ActiveRecord: https://groups.google.com/forum/?fromgroups=#!topic/rubyonra...

[+] wheaties|13 years ago|reply
As a developer that uses MongoDB in production I am shocked! Shocked, I tell you.
[+] yet|13 years ago|reply
And why are you shocked? Because you don't know what you are doing?
[+] nickporter|13 years ago|reply
I guess this is only a real problem if you're exposing your MongoDB instance to the internet.
[+] achillean|13 years ago|reply
By default, I believe MongoDB listens on 0.0.0.0 which means that servers unprotected from a firewall will expose their MongoDB database to the Internet. Shodan confirms that there are at least 31,000 public instances of MongoDB on the Internet at the moment (source: http://www.shodanhq.com/search?q=port%3A28017).
[+] rambot|13 years ago|reply
I suspect a lot of people are using MongoDB as the database backend to their web applications or services, so they are probably being indirectly exposed to the Internet. (Just like your Postgres or MySQL database.)
[+] tedchs|13 years ago|reply
IMHO, Mongo listening on 0.0.0.0 (i.e. all interfaces) is a reasonable default. Most production deployments are going to run Mongo on a separate box from the app server, particularly if a replica set is used. This normally does not lead to Internet exposure because folks have IPTables, EC2 Security Group rules, or other firewall filtering that only allows desired traffic.
[+] cheald|13 years ago|reply
This seems like Seriously Bad News for folks like MongoHQ. I'm hoping they're running 2.4.1, though?
[+] mrkurt|13 years ago|reply
It's less of a problem than you'd expect, most of our DBs run in isolated processes and an authenticated user (even with shell) can't really break out and run wild on the environment. We expected that the Mongo javascript engine would have vulnerabilities like this and started trying to get ahead of them about 18 months ago.

About 3% of our servers are either legacy, and the isolation hasn't been tested all that well, or sandbox environments where people share a process for tiny/test DBs. We've upgraded all of those to 2.4.1.

[+] shin_lao|13 years ago|reply
Doesn't the MongoDB daemon run in a privilege-free sandboxed environment?
[+] ehsanf|13 years ago|reply
MongoDB manual has some good recommendations on operations here: http://docs.mongodb.org/manual/administration/security/#oper...

It certainly helps limit the damage. However, unless it is chroot-ed, it will still pose a very serious risk. And even with chroot, the damage is not totally eliminated. The attacker can start leveraging local vulnerabilities.

[+] mrkurt|13 years ago|reply
Depends who's running it. :)