MongoDB 2.0.1 / 2.1.1 / 2.1.4 / 2.1.5 Local Password Disclosure

2024.03.09
Credit: Emad Al-Mousa
Risk: Medium
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

Title: MongoDB MONGOSH Password Exposure Vulnerability Product: MongoDB database Tool: mongosh Affected Version(s): 2.0.1 , 2.1.1,2.1.4,2.1.5 Tested Version(s): 2.0.1 , 2.1.1,2.1.4,2.1.5 Risk Level: Low Author of Advisory: Emad Al-Mousa ***************************************** Vulnerability Details: Vulnerability in MongoDB database system "mongosh" which is a JavaScript and Node.js REPL environment for interacting with MongoDB deployments in Atlas , locally, or on another remote host. So, its basically a command line utility to run database commands and java scripts against back-end MongoDB database system. MONGOSH has two vulnerbailites where passwords can be exposed and leaked in which an attacker to the operating system can weaponize for unauthorized access to the MongoDB database system. ***************************************** Proof of Concept (PoC): Vulnerability No1. : passwordPrompt() showing password displayed in clear text per documentation: https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPrompt The password should not be displayed, however I found out that it appears clearly in the prompt ! The password function passwordPrompt() was tested and used in conjunction with db.createUser, db.changeUserPassword, db.auth commands and all of them were allowing clear text password to appear. admin> use admin already on db admin admin> db.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]}) Enter password mongo *****{ ok: 1 } admin> Vulnerability No2. : Password is exposed in mongosh_repl_history file with db.auth command Mongosh was tested with both “remove”& “remove-redact” modes config.set (redactHistory, “remove-redact”) config.set (‘redactHistory’, “remove”) In Linux Red Hat Environment the file: $MONGOHOME/.mongodb/mongosh/mongosh_repl_history Contains the password in clear text for historical commands run for authentication db.auth() and db.createUser , per documentation: https://www.mongodb.com/docs/mongodb-shell/logs/ the logs should omit the credentials but this didn’t happen ! In windows operating system environment the file: C:\Users\windows_profile_user\AppData\Roaming\mongodb\mongosh Commands running for database creation db.createUser and db.auth() are logging the username, password explicitly as shown below: cat mongosh_repl_history use admin db.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]}) ***************************************** References: https://databasesecurityninja.wordpress.com/2024/03/07/mongodb-mongosh-password-exposure-vulnerability/ https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPrompt https://www.mongodb.com/docs/mongodb-shell/logs/


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top