CVE-2013-1892
published 2013-10-01CVE-2013-1892: MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated…
PriorityP355medium6CVSS 2.0
AVNACMAuSCPIPAP
EXPLOIT
EPSS
44.54%
98.6th percentile
MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated users to cause a denial of service (invalid memory access and server crash) or execute arbitrary code via a crafted memory address in the first argument.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mongodb | mongodb | <= 2.0.8 | — |
| mongodb | mongodb | — | — |
| mongodb | mongodb | — | — |
| mongodb | mongodb | — | — |
| mongodb | mongodb | — | — |
| mongodb | mongodb | — | — |
| mongodb | mongodb | — | — |
| mongodb | mongodb | — | — |
| mongodb | mongodb | — | — |
| mongodb | mongodb | — | — |
| mongodb | mongodb | — | — |
| mongodb | mongodb | — | — |
| mongodb | mongodb | — | — |
| mongodb | mongodb | — | — |
| mongodb | mongodb | — | — |
| mongodb | mongodb | — | — |
| mongodb | mongodb | — | — |
| redhat | enterprise_mrg | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts by monitoring MongoDB wire protocol traffic on port 27017 for JavaScript payloads containing 'nativeHelper.apply' with a crafted numeric first argument (e.g., object with key 'x' set to a raw memory address). ↗
- →Alert on MongoDB $where clauses containing heap-spray patterns: large loops building NOP sleds via unescape('%u9090%u9090') combined with 'nativeHelper.apply' calls. ↗
- →The exploit requires authenticated access; monitor for authentication attempts against the 'admin' database on MongoDB followed immediately by $where JavaScript execution. ↗
- →The string 'MongoSploit!' appears verbatim in the ROP chain payload and can be used as a network signature to detect exploitation attempts. ↗
- →The exploit uses a fixed ROP gadget address 0x0836e204 (mov eax,DWORD PTR [eax] / call DWORD PTR [eax+0x1c]) as the first argument to nativeHelper.apply; presence of this value in $where payloads is a strong indicator. ↗
- →The exploit targets MongoDB 2.2.3 on Linux 32-bit; detection should focus on mongod processes running vulnerable versions (before 2.0.9 or 2.2.x before 2.2.4). ↗
- ·The exploit requires remote authenticated access; unauthenticated MongoDB instances are also vulnerable but the module explicitly supports credential-based authentication, meaning network-level authentication alone does not mitigate the risk. ↗
- ·The published ROP chain and gadget offsets are specific to MongoDB 2.2.3 32-bit Linux builds; different versions or architectures will have different gadget addresses, so detection based solely on hardcoded addresses may miss adapted exploits. ↗
- ·The exploit can optionally create a new random collection if none is specified, meaning collection-name-based detection is unreliable; the attacker-controlled collection name is randomized. ↗
- ·OpenShift Enterprise 1 was marked 'Will not fix' for this CVE, meaning deployments on that platform remain permanently vulnerable. ↗
CVSS provenance
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
vendor_redhat6.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
MongoDB: Server Side JavaScript Includes allow Remote Code Execution
vendor_redhat·2013-03-24·CVSS 6.0
CVE-2013-1892 [MEDIUM] CWE-119 MongoDB: Server Side JavaScript Includes allow Remote Code Execution
MongoDB: Server Side JavaScript Includes allow Remote Code Execution
MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated users to cause a denial of service (invalid memory access and server crash) or execute arbitrary code via a crafted memory address in the first argument.
Package: mongodb (OpenShift Enterprise 1) - Will not fix
GHSA
GHSA-vv9j-qmgv-fcp5: MongoDB before 2
ghsa_unreviewed·2022-05-13
CVE-2013-1892 [MEDIUM] CWE-20 GHSA-vv9j-qmgv-fcp5: MongoDB before 2
MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated users to cause a denial of service (invalid memory access and server crash) or execute arbitrary code via a crafted memory address in the first argument.
No detection rules found.
Exploit-DB
MongoDB - nativeHelper.apply Remote Code Execution (Metasploit)
exploitdb·2013-04-08
CVE-2013-1892 MongoDB - nativeHelper.apply Remote Code Execution (Metasploit)
MongoDB - nativeHelper.apply Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'MongoDB nativeHelper.apply Remote Code Execution',
'Description' => %q{
This module exploit a the nativeHelper feature from spiderMonkey which allows to
to control execution by calling it wit specially crafted arguments. This module
has been tested successfully on MongoDB 2.2.3 on Ubuntu 10.04 and Debian Squeeze.
},
'Author' =>
[
'agix' # @agixid # Vulnerability discovery and Metasploit module
],
'References' =>
[
[ 'CVE', '2013-1892' ],
[ 'OSVDB', '
Exploit-DB
MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution
exploitdb·2013-04-08
CVE-2013-1892 MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution
MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution
---
#Title: MongoDB nativeHelper.apply Remote Code Execution
#Author: agixid http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji-to-rce/
#Software Link: http://fastdl.mongodb.org/linux/mongodb-linux-i686-2.2.3.tgz
#Version: 2.2.3
The following PoC exploits the "nativeHelper" feature in the spidermonkey mongodb implementation.
the NativeFunction "func" come from "x" javascript object and then is called without any check:
db.my_collection.find({'$where':'shellcode=unescape("METASPLOIT JS GENERATED SHELLCODE"); sizechunk=0x1000; chunk=""; for(i=0;i<sizechunk;i++){ chunk+=unescape("%u9090%u9090"); } chunk=chunk.substring(0,(sizechunk-shellcode.length)); testarray=new Array(); for(i=0;i<25000;i++){ testarray[i]=chunk+shellcode; } ropcha
Metasploit
MongoDB nativeHelper.apply Remote Code Execution
metasploit
MongoDB nativeHelper.apply Remote Code Execution
MongoDB nativeHelper.apply Remote Code Execution
This module exploits the nativeHelper feature from spiderMonkey which allows remote code execution by calling it with specially crafted arguments. This module has been tested successfully on MongoDB 2.2.3 on Ubuntu 10.04 and Debian Squeeze.
Bugzilla
CVE-2013-3969 MongoDB: remote code execution via javascript
bugzilla·2013-07-17·CVSS 6.0
CVE-2013-3969 [MEDIUM] CVE-2013-3969 MongoDB: remote code execution via javascript
CVE-2013-3969 MongoDB: remote code execution via javascript
Similar to CVE-2013-1892, it was reported [1] that MongoDB suffers from remote code execution This flaw requires read-write access to the MongoDB database to execute arbitrary code; however it looks as though read-only access could be used to cause the database to crash.
It is unknown whether this flaw was introduced in 2.2.3 with the change to using the V8 Javascript engine, or if it also affects earlier versions.
[1] http://blog.scrt.ch/2013/06/04/mongodb-rce-by-databasespraying/
Discussion:
CVE request is here:
http://openwall.com/lists/oss-security/2013/07/17/2
At least 2.2.3 through to and including 2.4.4 are vulnerable. Upstream has indicated that they are currently working on a fix.
---
The CVE identifier of CVE-2
Bugzilla
CVE-2013-1892 MongoDB: Server Side JavaScript Includes allow Remote Code Execution [epel-all]
bugzilla·2013-03-27·CVSS 6.0
CVE-2013-1892 [MEDIUM] CVE-2013-1892 MongoDB: Server Side JavaScript Includes allow Remote Code Execution [epel-all]
CVE-2013-1892 MongoDB: Server Side JavaScript Includes allow Remote Code Execution [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please
Bugzilla
CVE-2013-1892 MongoDB: Server Side JavaScript Includes allow Remote Code Execution [fedora-all]
bugzilla·2013-03-27·CVSS 6.0
CVE-2013-1892 [MEDIUM] CVE-2013-1892 MongoDB: Server Side JavaScript Includes allow Remote Code Execution [fedora-all]
CVE-2013-1892 MongoDB: Server Side JavaScript Includes allow Remote Code Execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please no
Bugzilla
CVE-2013-1892 MongoDB: Server Side JavaScript Includes allow Remote Code Execution
bugzilla·2013-03-26·CVSS 6.0
CVE-2013-1892 [MEDIUM] CVE-2013-1892 MongoDB: Server Side JavaScript Includes allow Remote Code Execution
CVE-2013-1892 MongoDB: Server Side JavaScript Includes allow Remote Code Execution
SCRT Information Security reports:
mongodb – SSJI to RCE
Posted on mars 24, 2013 par agixid
Lucky discovery
Trying some server side javascript injection in mongodb, I wondered if it would be possible to pop a shell.
The run method seems good for this :
> run("uname","-a")
Sun Mar 24 07:09:49 shell: started program uname -a
sh1838| Linux mongo 2.6.32-5-686 #1 SMP Sun Sep 23 09:49:36 UTC 2012 i686 GNU/Linux
0
Unfortunately, this command is only effective in mongo client :
> db.my_collection.find({$where:"run('ls')"})
error: {
"$err" : "error on invocation of $where function:\nJS Error: ReferenceError: run is not defined nofile_a:0",
"code" : 10071
}
But let’s dig a little bit.
> run
function () {
return
http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji-to-rce/http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101630.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-April/101679.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1170.htmlhttp://www.exploit-db.com/exploits/24935http://www.exploit-db.com/exploits/24947http://www.mongodb.org/about/alerts/http://www.openwall.com/lists/oss-security/2013/03/25/9https://jira.mongodb.org/browse/SERVER-9124http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji-to-rce/http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101630.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-April/101679.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1170.htmlhttp://www.exploit-db.com/exploits/24935http://www.exploit-db.com/exploits/24947http://www.mongodb.org/about/alerts/http://www.openwall.com/lists/oss-security/2013/03/25/9https://jira.mongodb.org/browse/SERVER-9124
2013-10-01
Published