Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <51A8F59F.7040002@redhat.com>
Date: Fri, 31 May 2013 13:10:23 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: CVE-2013-2132 MongoDB: User-triggerable NULL pointer dereference
 due to utter plebbery

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

https://jira.mongodb.org/browse/PYTHON-532

Short summary:

Step 1. Use Mongo as WEB SCALE DOCUMENT STORE OF CHOICE LOL
Step 2. Assume basic engineering principles applied throughout due to
HEAVY MARKETING SUGGESTING AWESOMENESS.
Step 3. Spend 6 months fighting plebbery across the spectrum, mostly
succeed.
Step 4. NIGHT BEFORE INVESTOR DEMO, TRY UPLOADING SOME DATA WITH
"{$ref: '#/mongodb/plebtastic'"
Step 5. LOL WTF?!?!? PYMONGO CRASH?? :OOO LOOOL WEBSCALE
Step 6. It's 4am now. STILL INVESTIGATING
b4cb9be0 pymongo/_cbsonmodule.c (Mike Dirolf 2009-11-10 14:54:39 -0500
1196) /* Decoding for DBRefs */
Oh Mike!!!


3. ADD process_dbrefs=False TO ALL THE DRIVERS

To reproduce:
? in mongo shell:
db.python532.insert({x : {"$ref" : "whatever"} });
? in python shell
import pymongo
pymongo.MongoClient().test.python532.find_one()

Fix:
https://github.com/mongodb/mongo-python-driver/commit/a060c15ef87e0f0e72974c7c0e57fe811bbd06a2

BTW can someone from 10gen contact me so we can start doing the CVEs
for MongoDB properly? Thanks.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRqPWfAAoJEBYNRVNeJnmTOngQAMcgBc6gI2Sr78b3El4ZZ1Cx
TPdez1MNZhzhK9ELhLV+fuwFVDTYNQijFDlGjJjjFICh5RPOuVUCrAVyrv1NK4HF
e2CgLNAuZuG68z4byKDe7zvfftwb2NgT+9DRtye20ExYQ2KgEufrEPjLlY0BF9vu
arQyye/b2InhuUx7zzNr/dPkLXRzibq+7CfbCkSQ9T4/yJ5Cjlk7ILnIPNlV/E4L
48P+fOza5JcLJs/MEInXMOhQiDQDYWn4M1gcwe4YCKbsjohAhQy9KBoFIckbLEA6
mceG+KkQmB5D/X32YGq3UMOOfPntgrvV/s6sjhscqmMrdhMmlPRIhObI/Mpfo4GQ
lxoa94BEXAagFEMUPBs/iu1vwof90Yso9J0Zer6pil950SGA3YjauCmOP3GibjWr
LBaLvOCZB/HxYmSKvDeN5g7plNfl1MSnuAglcIFOMs/xntRYgBJrDfUDw9kKjm0Z
Y7iglIjLYQvStQGXGmHQhwglJJgxZjOipJSalEeTVdWfFWXursKamoTu8Bo9TELK
z8zbh3IozHA/roQFcLtDgcVtn0qFMMf4YBb9rXMwePAdEXTrOVTzcPUe3dc0tEmY
5nCBsMPYZ0/KLQATViApAT3v3sa++ywxqATibPoxJdvsmvrDLLtDPenHbEr4b6Ns
CkTEXrASTF/y5sWYDZ/F
=Djhc
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.