Server Side JavaScript Injection on MongoDB

By Adrian Lane | March 26, 2013

A couple years ago Brian Sullivan of Microsoft demonstrated blind SQLi and server-side JavaScript injection attacks on Mongo, Neo4j, and other big data engines, but this is the first time I have seen someone get a shell and bypass ASLR. From the SCRT Information Security Team Blog, they found an 0-day to do just that:

Trying some server side javascript injection in mongodb, I wondered if it would be possible to pop a shell.

… nativeHelper is a crazy feature in spidermonkey missused by mongodb: the NativeFunction func come from x javascript object and then is called without any check !!!

… This feature/vulnerability was reported 3 weeks ago to 10gen developers, no patch was commit but the default javascript engine was changed in last version so there is no more nativeHelper.apply function. A metasploit module is comming soon…

Go read the post! They laid out their work step by step, so it’s easy to see how they performed their analysis and tried different tweaks to get this to work. A side note to NoSQL vendors out there: It may be time for some of you to consider a bug bounty program on commonly used components – or maybe throw some money SCRT’s way? Nice work, guys. A big “thank you” to Zach (@quine) for spotting this post and bringing it to our attention!

2 Comments

s
shinepharms 2023-04-10
Thank you for this article. It's effortless to learn something new about it. This was an informative post for us. I would like to keep sharing these articles with others. We are specialised in Manufacturing Vitamins Injections, <a href="https://shinepharms.com/" rel="nofollow ugc">Vitamin B complex injections</a> and all generic medicines to reach sick people.
P
Phyllis 2022-09-21
<a href="https://www.monclercoatfactory.us.com/" rel="nofollow ugc"><strong>Moncler Coat Women</strong></a> <a href="https://www.monclersaleoutlets.us.com/" rel="nofollow ugc"><strong>Moncler Outlet</strong></a> <a href="https://www.jordanones.us/" rel="nofollow ugc"><strong>Jordan One</strong></a> <a href="https://www.yeezysshoes.ca/" rel="nofollow ugc"><strong>Yeezy</strong></a> <a href="https://www.airjordans1.us.com/" rel="nofollow ugc"><strong>Jordans 1</strong></a> <a href="https://www.balenciagastore.us.com/" rel="nofollow ugc"><strong>Balenciaga</strong></a> <a href="https://www.cheapjordanshoeswholesale.us/" rel="nofollow ugc"><strong>Cheap Jordan Shoes For Women</strong></a> <a href="https://www.pandorasbracelets.us.com/" rel="nofollow ugc"><strong>Pandora Bracelet Charms</strong></a> <a href="https://www.officialpandorajewelry.ca/" rel="nofollow ugc"><strong>Pandora Canada</strong></a> <a href="https://www.wholesalejordanshoes.us.org/" rel="nofollow ugc"><strong>Wholesale Jordan</strong></a> <a href="https://www.pandorasrings.us.com/" rel="nofollow ugc"><strong>Pandora Ring</strong></a> <a href="https://www.airmax720.us.com/" rel="nofollow ugc"><strong>Air Max 720</strong></a> <a