From 0056488bb8a4b36ffa1b1c36cd0f04e6a15bd0ac Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Wed, 14 Jan 2026 01:35:08 +0000 Subject: [PATCH] Add content from: Threat Brief: MongoDB Vulnerability (CVE-2025-14847) --- .../27017-27018-mongodb.md | 46 ++++++++++++++----- 1 file changed, 35 insertions(+), 11 deletions(-) diff --git a/src/network-services-pentesting/27017-27018-mongodb.md b/src/network-services-pentesting/27017-27018-mongodb.md index 0cd0a06c5d0..d7ea633d38f 100644 --- a/src/network-services-pentesting/27017-27018-mongodb.md +++ b/src/network-services-pentesting/27017-27018-mongodb.md @@ -104,7 +104,7 @@ If you are root you can **modify** the **mongodb.conf** file so no credentials a ## MongoBleed zlib Memory Disclosure (CVE-2025-14847) -A widespread unauthenticated memory disclosure ("MongoBleed") impacts MongoDB 3.6–8.2 whenever the **zlib network compressor is enabled**. During OP\_MSG decompression MongoDB returns the **attacker-controlled allocation length instead of the real uncompressed length**, so the reply contains uninitialized server memory that belongs to other connections, `/proc` files, or the WiredTiger cache. +A widespread unauthenticated memory disclosure ("MongoBleed") impacts MongoDB 3.6–8.2 when the **zlib network compressor is enabled**. The `OP_COMPRESSED` header trusts an attacker-supplied `uncompressedSize`, so the server allocates a buffer of that size and copies it back into responses even though only a much smaller compressed payload was provided. The extra bytes are **uninitialized heap data** from other connections, `/proc`, or the WiredTiger cache. Attackers then omit the expected **BSON `\x00` terminator** so MongoDB’s parser keeps scanning that oversized buffer until it finds a terminator, and the error response echoes both the malicious document and the scanned heap bytes **pre-auth** on TCP/27017. ### Exposure requirements & quick checks @@ -119,10 +119,10 @@ db.adminCommand({getParameter: 1, networkMessageCompressors: 1}) ### Exploitation & harvesting workflow -1. Initiate the wire-protocol handshake while advertising `compressors:["zlib"]` and force the session to use zlib. -2. Send crafted compressed OP\_MSG frames whose declared `uncompressedSize` is much larger than the real payload so MongoDB allocates a huge buffer. -3. Because MongoDB copies the entire buffer length into the reply, the BSON parser treats **garbage field names** as valid data until it hits a `\x00`, leaking chunks of process memory on every response. -4. Vary the claimed document length/offset to walk process memory and aggregate leaks. +1. Initiate the wire-protocol handshake advertising `compressors:["zlib"]` so the session uses zlib. +2. Send `OP_COMPRESSED` frames whose declared `uncompressedSize` is far larger than the real decompressed payload to force **oversized heap allocation full of old data**. +3. Craft the embedded BSON **without a final `\x00`** so the parser walks past attacker-controlled data into the oversized buffer while looking for a terminator. +4. MongoDB emits an error that includes the original message plus whatever heap bytes were scanned, leaking memory. Repeat with varying lengths/offsets to aggregate secrets (creds/API keys/session tokens), WiredTiger stats, and `/proc` artifacts. The public PoC automates the probing offsets and carving of the returned fragments: @@ -130,17 +130,41 @@ The public PoC automates the probing offsets and carving of the returned fragmen python3 mongobleed.py --host --max-offset 50000 --output leaks.bin ``` -Running wider offset ranges consistently yields: - -- MongoDB internal logs, connection UUIDs, client IPs and WireTiger stats. -- `/proc` artifacts such as `meminfo`, socket statistics or container paths helpful for container escape or lateral movement. -- Secrets that happen to be resident in memory (database creds, API tokens, cloud keys, session cookies, etc.). +### Detection noise signal (high-rate connections) + +The attack usually generates many short-lived requests. Watch for spikes of inbound connections to `mongod`/`mongod.exe`. Example XQL hunt (>500 connections/min per remote IP, excluding RFC1918/loopback/link-local/mcast/broadcast/reserved ranges by default): + +
+Cortex XQL high-velocity Mongo connections + +```sql +// High-velocity inbound connections to mongod/mongod.exe (possible MongoBleed probing) + +dataset = xdr_data +| filter event_type = ENUM.NETWORK +| filter lowercase(actor_process_image_name) in ("mongod", "mongod.exe") +| filter action_network_is_server = true +| filter action_remote_ip not in (null, "") +| filter incidr(action_remote_ip, "10.0.0.0/8") != true and + incidr(action_remote_ip, "192.168.0.0/16") != true and + incidr(action_remote_ip, "172.16.0.0/12") != true and + incidr(action_remote_ip, "127.0.0.0/8") != true and + incidr(action_remote_ip, "169.254.0.0/16") != true and + incidr(action_remote_ip, "224.0.0.0/4") != true and + incidr(action_remote_ip, "255.255.255.255/32") != true and + incidr(action_remote_ip, "198.18.0.0/15") != true +| filter action_network_session_duration <= 5000 +| bin _time span = 1m +| comp count(_time) as Counter by agent_hostname, action_remote_ip, _time +| filter Counter >= 500 +``` -At scale, attackers first fingerprint `mongod` instances (e.g., Censys saw >87k exposed services), confirm the version/compressor, then loop the above sequence to build a searchable dump of leaked strings for follow-on compromise. +
## References +- [Unit 42 – Threat Brief: MongoDB Vulnerability (CVE-2025-14847)](https://unit42.paloaltonetworks.com/mongobleed-cve-2025-14847/) - [Tenable – CVE-2025-14847 (MongoBleed): MongoDB Memory Leak Vulnerability Exploited in the Wild](https://www.tenable.com/blog/cve-2025-14847-mongobleed-mongodb-memory-leak-vulnerability-exploited-in-the-wild) - [MongoDB Security Advisory SERVER-115508](https://jira.mongodb.org/browse/SERVER-115508) - [Censys – MongoBleed Advisory](https://censys.com/advisory/cve-2025-14847)