A couple years ago Brian Sullivan of Microsoft demonstrated blind SQLi and server-side JavaScript injection attacks on Mongo, Neo4j, and other big data engines, but this is the first time I have seen someone get a shell and bypass ASLR. From the SCRT Information Security Team Blog, they found an 0-day to do just that:
Trying some server side javascript injection in mongodb, I wondered if it would be possible to pop a shell.
… nativeHelper is a crazy feature in spidermonkey missused by mongodb: the NativeFunction func come from x javascript object and then is called without any check !!!
… This feature/vulnerability was reported 3 weeks ago to 10gen developers, no patch was commit but the default javascript engine was changed in last version so there is no more nativeHelper.apply function. A metasploit module is comming soon…
Go read the post! They laid out their work step by step, so it’s easy to see how they performed their analysis and tried different tweaks to get this to work. A side note to NoSQL vendors out there: It may be time for some of you to consider a bug bounty program on commonly used components – or maybe throw some money SCRT’s way? Nice work, guys. A big “thank you” to Zach (@quine) for spotting this post and bringing it to our attention!
Reader interactions
2 Replies to “Server Side JavaScript Injection on MongoDB”
Thank you for this article. It’s effortless to learn something new about it. This was an informative post for us. I would like to keep sharing these articles with others. We are specialised in Manufacturing Vitamins Injections, Vitamin B complex injections and all generic medicines to reach sick people.
Moncler Coat Women
Moncler Outlet
Jordan One
Yeezy
Jordans 1
Balenciaga
Cheap Jordan Shoes For Women
Pandora Bracelet Charms
Pandora Canada
Wholesale Jordan
Pandora Ring
Air Max 720