Injecting these would bypass data sanity filters, confuse applications on when to end strings, and then manipulate them into performing actions. Simply, a null byte character is something like %00 in URI encoding or 0x00 in hex, and is used to terminate strings. The attack in question uses something called a null-byte injection to get around the Handler and achieve buffer overflow, but what is a null-byte injection? And what is a null-byte? Databases in MongoDB hold collections of documents, and MongoDB documents within a collection can have different fields. A collection is a grouping of MongoDB documents and is the equivalent of a Relational Database Management System (RDBMS) table. The values of fields inside records may include other documents, arrays, and arrays of documents. There are two important data structures in MongoDB: records and collections.Ī record is a Binary JSON (BSON) document composed of field and value pairs. The Handler takes operations from the source trail file and creates corresponding documents (rows) in the target MongoDB database. Breaking MongoDB HandlerĪs mentioned earlier, the vulnerability abuses the component known as the MongoDB Handler. The MongoDB vulnerability in question specifically uses two common weaknesses: ‘Improper Neutralization of Null Byte or NUL Character’ ( CWE-158) and ‘Buffer Copy without Checking Size of Input’ ( CWE-120), which fall under stack-based buffer overflow. Several types of buffer overflow attacks exist, but the three most common are: stack-based, heap-based, and format string attacks. These types of attacks are still very common, as buffer overflows are often given less scrutiny because they are less likely to be discovered by attackers and more difficult to exploit (attackers would need to know the memory layout of a program and details of the buffer). Basically, attackers use buffer overflows to corrupt an application's execution stack, execute arbitrary code, and take over a machine. The program then, whilst trying to write the data to the desired location (buffer), begins to overwrite adjacent memory locations (blocks).Īttackers manipulate this coding error by altering an application's execution path and overwriting elements of memory, leading to damage or loss of existing files, exposure of data, executing malicious payloads, etc. Buffer overflows happen when the volume of said data exceeds the storage capacity of the buffer. More importantly, what exactly is a buffer overflow?īuffers are memory storage regions that temporarily hold data while it is transferred from one location to another. Buffer Overflowīefore we get into how this vulnerability works, let's first discuss how a buffer overflow works. This vulnerability has since been patched, and so far, no documented evidence of it being used in remote code execution (RCE) or remote file inclusion (RFI) has been found on the Clearnet. Exploits using this vulnerability are available on Dark Net marketplaces, with prices averaging $40,000 (based on the current market values of Ethereum and Bitcoin). The vulnerability, CVE-2020-7928, abuses a well-known component of MongoDB, known as the Handler, to carry out buffer overflow attacks by way of null-byte injections. The vulnerability affected almost all versions of MongoDB, up to v4.5.0, but was discussed and patched appropriately. Towards the end of 2020, a new vulnerability in MongoDB was found and published.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |