In association with heise online

25 March 2013, 15:24

MongoDB: Exploit on the net, Metasploit in the making - Update

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

MongoDB An exploit has been published for 10gen's open source NoSQL database MongoDB. The discoverer of the hole, who goes by the name "agixid", says a Metasploit module will be coming soon. The exploit has been tested with 32-bit systems running the somewhat older but still supported MongoDB 2.2.3; the discoverer is working on a 64-bit exploit. The recently released latest branch of MongoDB – 2.4 – is not affected by the exploit.

The exploit hinges on taking advantage of an incorrectly used NativeHelper function in the SpiderMonkey JavaScript engine to inject native code and produce a server-side buffer overflow to execute it. The NativeHelper function retrieves a JavaScript object without checking it. The flaw's discoverer says that they informed 10gen of the problem three weeks ago, but that he has not seen a commit made that fixes the issue. Since then though MongoDB 2.4 was released.

One of the features of MongoDB 2.4.x is the switching of JavaScript engine from SpiderMonkey to Google's V8 and it is this switch which grants version 2.4.x its immunity to the hole. 2.2.x users looking to upgrade should therefore upgrade to the most recent, 2.4.1 release of MongoDB which was released on 23 March to resolve a critical non-security issue in synchronisation.

According to the MongoDB JIRA, version 2.2.4 is due for release tomorrow (26 March) but the provisional release notes do not disclose whether a fix is present for the exploitable issue.

Update - Agixid contacted The H and says that the issue is not a buffer overflow, simply an abuse of a function pointer.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit