what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

MongoDB 2.0.1 / 2.1.1 / 2.1.4 / 2.1.5 Local Password Disclosure

MongoDB 2.0.1 / 2.1.1 / 2.1.4 / 2.1.5 Local Password Disclosure
Posted Mar 8, 2024
Authored by Emad Al-Mousa

MongoDB versions 2.0.1, 2.1.1, 2.1.4, and 2.1.5 appear to suffer from multiple localized password disclosure issues.

tags | exploit, info disclosure
SHA-256 | ec43188752263df8468c0d1efaa74c0c5834d7a2469f132a2cf3841157e23944

MongoDB 2.0.1 / 2.1.1 / 2.1.4 / 2.1.5 Local Password Disclosure

Change Mirror Download
Title: MongoDB MONGOSH Password Exposure Vulnerability
Product: MongoDB database
Tool: mongosh
Affected Version(s): 2.0.1 , 2.1.1,2.1.4,2.1.5
Tested Version(s): 2.0.1 , 2.1.1,2.1.4,2.1.5
Risk Level: Low
Author of Advisory: Emad Al-Mousa


*****************************************
Vulnerability Details:

Vulnerability in MongoDB database system "mongosh" which is a JavaScript and Node.js REPL environment for interacting with MongoDB deployments in Atlas , locally, or on another remote host. So, its basically a command line utility to run database commands and java scripts against back-end MongoDB database system.

MONGOSH has two vulnerbailites where passwords can be exposed and leaked in which an attacker to the operating system can weaponize for unauthorized access to the MongoDB database system.


*****************************************
Proof of Concept (PoC):

Vulnerability No1. : passwordPrompt() showing password displayed in clear text

per documentation:

https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPrompt

The password should not be displayed, however I found out that it appears clearly in the prompt !

The password function passwordPrompt() was tested and used in conjunction with db.createUser, db.changeUserPassword, db.auth commands and all of them were allowing clear text password to appear.




admin> use admin
already on db admin
admin> db.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})
Enter password
mongo
*****{ ok: 1 }
admin>


Vulnerability No2. : Password is exposed in mongosh_repl_history file with db.auth command


Mongosh was tested with both “remove”& “remove-redact” modes

config.set (redactHistory, “remove-redact”)

config.set (‘redactHistory’, “remove”)

In Linux Red Hat Environment the file: $MONGOHOME/.mongodb/mongosh/mongosh_repl_history

Contains the password in clear text for historical commands run for authentication db.auth() and db.createUser , per documentation: https://www.mongodb.com/docs/mongodb-shell/logs/ the logs should omit the credentials but this didn’t happen !

In windows operating system environment the file: C:\Users\windows_profile_user\AppData\Roaming\mongodb\mongosh

Commands running for database creation db.createUser and db.auth() are logging the username, password explicitly as shown below:

cat mongosh_repl_history

use admin

db.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})


*****************************************
References:
https://databasesecurityninja.wordpress.com/2024/03/07/mongodb-mongosh-password-exposure-vulnerability/
https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPrompt
https://www.mongodb.com/docs/mongodb-shell/logs/



Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close