It certainly helps limit the damage. However, unless it is chroot-ed, it will still pose a very serious risk. And even with chroot, the damage is not totally eliminated. The attacker can start leveraging local vulnerabilities.
I suspect a lot of people are using MongoDB as the database backend to their web applications or services, so they are probably being indirectly exposed to the Internet. (Just like your Postgres or MySQL database.)
I've never exposed a Postgres or MySQL database directly to the internet, either. They're always listening to localhost connections only, and the only code that gets to make direct calls into them is my code, which means input sanitization prevents attacks like this.
The same goes for my use of MongoDB.
Though I am curious if anything similar exists for CouchDB, as they seem to be encouraging dangerous configurations like that.
By default, I believe MongoDB listens on 0.0.0.0 which means that servers unprotected from a firewall will expose their MongoDB database to the Internet. Shodan confirms that there are at least 31,000 public instances of MongoDB on the Internet at the moment (source: http://www.shodanhq.com/search?q=port%3A28017).
Wow. That's a lot of servers exposed. I bet majority of them have the application/web server running on the same host. I think they should change the default to 127.0.0.1 and let people knowingly expos them to outside of localhost.
It sounds like they listen on localhost by default (http://docs.mongodb.org/manual/reference/mongod/#options), though i'm not sure if that's always been the case. It's also possible installers change the default behaviour. (i.e. when you install via apt, yum, homebrew, etc.)
Good point, it might have changed recently and last I installed it on Ubuntu it listened on 0.0.0.0. It certainly would make a lot more sense to listen to localhost by default, which is what most daemons do.
IMHO, Mongo listening on 0.0.0.0 (i.e. all interfaces) is a reasonable default. Most production deployments are going to run Mongo on a separate box from the app server, particularly if a replica set is used. This normally does not lead to Internet exposure because folks have IPTables, EC2 Security Group rules, or other firewall filtering that only allows desired traffic.
... no one is pointing fingers at MySQL, like they are at MongoDB, as if this is some kind of security flaw in MongoDB.
It's a feature, not a bug. The docs make it clear that $where can run JavaScript, so if you know what you're doing, you're not going to allow JavaScript to flow through your software as if it's valid input.
Having your DB server (regardless of type) exposed to the entire internet is a bad idea but that's not the real problem here (it just makes this really scary for people running wide open MongoDB instances). This is a lack of validation of client inputs by the server itself and (in my opinion) a dangerous default choice of trusting your client.
Most DBs allow something similar to this though it's generally locked down by default.
Note that there are some times when it's useful to be able to execute misc things like this. About 6 or 7 years back I wrote something on Oracle that would execute shell commands to get iostat/vmstat output and save it on regular intervals. Could have been done from outside in (data gets pushed from unix => DB) but having it initiated by the DB itself let us control when it runs based on DB actions (triggers, DBMS_JOBs, etc). To get that setup though we had to whitelist the executables we were calling as by default on Oracle everything is blocked. It's not a common thing to do and I think it's sensible that things like that should be locked down by default.
It's less of a problem than you'd expect, most of our DBs run in isolated processes and an authenticated user (even with shell) can't really break out and run wild on the environment. We expected that the Mongo javascript engine would have vulnerabilities like this and started trying to get ahead of them about 18 months ago.
About 3% of our servers are either legacy, and the isolation hasn't been tested all that well, or sandbox environments where people share a process for tiny/test DBs. We've upgraded all of those to 2.4.1.
Per usual, even if you're using something that isn't Mongo, it's good practice to explicitly cast your untrusted params before passing them to a query.
27 comments
[ 2.8 ms ] story [ 72.4 ms ] threadIt certainly helps limit the damage. However, unless it is chroot-ed, it will still pose a very serious risk. And even with chroot, the damage is not totally eliminated. The attacker can start leveraging local vulnerabilities.
The same goes for my use of MongoDB.
Though I am curious if anything similar exists for CouchDB, as they seem to be encouraging dangerous configurations like that.
https://jira.mongodb.org/browse/SERVER-207
(though it seems that it wasn't fixed when this issue was closed, so probably later https://jira.mongodb.org/browse/SERVER-697)
It's a feature, not a bug. The docs make it clear that $where can run JavaScript, so if you know what you're doing, you're not going to allow JavaScript to flow through your software as if it's valid input.
Most DBs allow something similar to this though it's generally locked down by default.
For PostgreSQL you can do it via untrusted languages though by default only super users can use those: http://www.postgresql.org/docs/9.1/static/plperl-trusted.htm...
For Oracle here's a bunch of ways to accomplish the same thing though again, by default, all are blocked for non-DBA users: http://asktom.oracle.com/pls/apex/f?p=100:11:0::::P11_QUESTI...
Note that there are some times when it's useful to be able to execute misc things like this. About 6 or 7 years back I wrote something on Oracle that would execute shell commands to get iostat/vmstat output and save it on regular intervals. Could have been done from outside in (data gets pushed from unix => DB) but having it initiated by the DB itself let us control when it runs based on DB actions (triggers, DBMS_JOBs, etc). To get that setup though we had to whitelist the executables we were calling as by default on Oracle everything is blocked. It's not a common thing to do and I think it's sensible that things like that should be locked down by default.
About 3% of our servers are either legacy, and the isolation hasn't been tested all that well, or sandbox environments where people share a process for tiny/test DBs. We've upgraded all of those to 2.4.1.
In rails, both of these are usually considered safe:
However, the mongo version is vulnerable to this exploit.For completeness' sake, here's a similar exploit vector in ActiveRecord: https://groups.google.com/forum/?fromgroups=#!topic/rubyonra...