Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-79069

command line censoring can't protect servers on Windows

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Unresolved
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: None
    • Component/s: None
    • Environment:
      Windows
    • Server Security
    • ALL

      The censorArgvArray in 

      https://github.com/mongodb/mongo/blob/4ca2f9fe5a11855510d0f69bc863f17c14580a5a/src/mongo/util/cmdline_utils/censor_cmdline.h#L44

      censorArgvArray(int argc, char** argv);

       

      is meant to overwrite argv to hide command-line secrets from `ps` or `/proc` traversal.

      But on Windows, the argv we give is not the real argvW. It's a copy, so modifying it has no effect.

      Windows processes have a special undocumented PEB block that may need to be modified to do the censoring properly.

            Assignee:
            backlog-server-security [DO NOT USE] Backlog - Security Team
            Reporter:
            billy.donahue@mongodb.com Billy Donahue
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated: