MongoDB 2.0.1 / 2.1.1 / 2.1.4 / 2.1.5 Local Password Disclosure – Torchsec
Product: MongoDB database
Tool: mongosh
Affected Version(s): 2.0.1 , 2.1.1,2.1.4,2.1.5
Tested Version(s): 2.0.1 , 2.1.1,2.1.4,2.1.5
Risk Level: Low
Author of Advisory: Emad Al-Mousa
*****************************************
Vulnerability Details:
Vulnerability in MongoDB database system "mongosh" which is a JavaScript and Node.js REPL environment for interacting with MongoDB deployments in Atlas , locally, or on another remote host. So, its basically a command line utility to run database commands and java scripts against back-end MongoDB database system.
MONGOSH has two vulnerbailites where passwords can be exposed and leaked in which an attacker to the operating system can weaponize for unauthorized access to the MongoDB database system.
*****************************************
Proof of Concept (PoC):
Vulnerability No1. : passwordPrompt() showing password displayed in clear text
per documentation:
https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPrompt
The password should not be displayed, however I found out that it appears clearly in the prompt !
The password function passwordPrompt() was tested and used in conjunction with db.createUser, db.changeUserPassword, db.auth commands and all of them were allowing clear text password to appear.
admin> use admin
already on db admin
admin> db.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})
Enter password
mongo
*****{ ok: 1 }
admin>
Vulnerability No2. : Password is exposed in mongosh_repl_history file with db.auth command
Mongosh was tested with both “remove”& “remove-redact” modes
config.set (redactHistory, “remove-redact”)
config.set (‘redactHistory’, “remove”)
In Linux Red Hat Environment the file: $MONGOHOME/.mongodb/mongosh/mongosh_repl_history
Contains the password in clear text for historical commands run for authentication db.auth() and db.createUser , per documentation: https://www.mongodb.com/docs/mongodb-shell/logs/ the logs should omit the credentials but this didn’t happen !
In windows operating system environment the file: C:\Users\windows_profile_user\AppData\Roaming\mongodb\mongosh
Commands running for database creation db.createUser and db.auth() are logging the username, password explicitly as shown below:
cat mongosh_repl_history
use admin
db.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})
*****************************************
References:
https://databasesecurityninja.wordpress.com/2024/03/07/mongodb-mongosh-password-exposure-vulnerability/
https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPrompt
https://www.mongodb.com/docs/mongodb-shell/logs/
Gloss