MongoBleed Explained Simply

 (bigdata.2minutestreaming.com)

74 points | by todsacerdoti 3 hours ago

6 comments

  • plorkyeran 1 hour ago
    The author seems to be unaware that Mongo internally develops in a private repo and commits are published later to the public one with https://github.com/google/copybara. All of the confusion around dates is due to this.
  • kentonv 1 hour ago
    A few years back I patched the memory allocator used by the Cloudflare Workers runtime to overwrite all memory with a static byte pattern on free, so that uninitialized allocations contain nothing interesting.

    We expected this to hurt performance, but we were unable to measure any impact in practice.

    Everyone still working in memory-unsafe languages should really just do this IMO. It would have mitigated this Mongo bug.

    [-]
    • tombert 1 hour ago
      You know, I never even considered doing that but it makes sense; whatever overhead that's incurred by doing that static byte pattern is still almost certainly minuscule compared to the overhead of something like a garbage collector.
    • dmitrygr 42 minutes ago
      FYI, at least in C/C++, the compiler is free to throw away assignments to any memory pointed to by a pointer if said pointer is about to be passed to free(), so depending on how you did this, no perf impact could have been because your compiler removed the assignment. This will even affect a call to memset()

      see here: https://godbolt.org/z/rMa8MbYox

      [-]
      • shakna 31 minutes ago
        However, if you recast to volatile, the compiler will keep it:

            #include <stdlib.h>
    #include <string.h>

    void free(void* ptr);
    void not_free(void* ptr);


    void test_with_free(char* ptr) {
        ptr[5] = 6;
        void *(* volatile memset_v)(void *s, int c, size_t n) = memset;
        memset_v(ptr + 2, 3, 4);
        free(ptr);
    }

    void test_with_other_func(char* ptr) {
        ptr[5] = 6;
        void *(* volatile memset_v)(void *s, int c, size_t n) = memset;
        memset_v(ptr + 2, 3, 4);
        not_free(ptr);
    }
  • computerfan494 1 hour ago
    The author of this post is incorrect about the timeline. Our Atlas clusters were upgraded days before the CVE was announced.
  • whynotmaybe 2 hours ago
    I'm still thinking about the hypothetical optimism brought by OWASP top 10 hoping that major flaws will be solved and that buffer overflow has been there since the beginning... in 2003.
    [-]
    • thrwaway55 14 minutes ago
      I mean giving everyone footguns and you'll find that is unavoidable forever. Thoughts and prayers to the Mongo devs until we migrate to a language that prevents this error.
  • maxrmk 3 hours ago
    How often are mongo instances exposed to the internet? I'm more of an SQL person and for those I know it's pretty uncommon, but does happen.
    [-]
    • petcat 2 hours ago
      From my experience, Mongo DB's entire raison d'etre is "laziness".

      * Don't worry about a schema.

      * Don't worry about persistence or durability.

      * Don't worry about reads or writes.

      * Don't worry about connectivity.

      This is basically the entire philosophy, so it's not surprising at all that users would also not worry about basic security.

      [-]
      • aragilar 1 hour ago
        Not only that, but authentication is much harder than it needs to be to set up (and is off by default).
      • winrid 1 hour ago
        Although interestingly, for all the mongo deployments I managed, the first time I saw a cluster publicly exposed without SSL was postgres :)
    • hahahacorn 3 hours ago
      A highly cited reason for using mongo is that people would rather not figure out a schema. (N=3/3 for “serious” orgs I know using mongo).

      That sort of inclination to push off doing the right thing now to save yourself a headache down the line probably overlaps with “let’s just make the db publicly exposed” instead of doing the work of setting up an internal network to save yourself a headache down the line.

      [-]
      • TZubiri 2 hours ago
        I would have hoped that there would be no important data in mongoDB.

        But now we can at least be rest assured that the important data in mongoDB is just very hard to read with the lack of schemas.

        Probably all of that nasty "schema" work and tech debt will finally be done by hackers trying to make use of that information.

    • wood_spirit 3 hours ago
      The article links to a shodan scan reporting 213K exposed instances https://www.shodan.io/search?query=Product%3A%22MongoDB%22
    • ok123456 1 hour ago
      For a long time, the default install had it binding to all interfaces and with authentication disabled.
    • notepad0x90 45 minutes ago
      often. lots of data leaks happened because of this. people spin it up in a cloud vm and forget it has a public ip all the time.