Mongodb, so long to fire the thing actually had a good look. Carefully until no time learn new things, always feel lack of energy. The advantage of buying a book on fragmented in the VPS on the build, test, to see the implementation code. Feeling quite interesting a database. Although the feeling it is very simple, especially when it is looking at the code feel so. But this is not what is another example of KISS, or something simple but useful most popular.
Since they saw their implementation, can not fail to output something. Just did not update the blog for many years, on a simple analysis of the safety mongodb, Minato number first.
The security situation in the default configuration
By default, mongod is listening on 0.0.0.0 above. And any client can be connected directly 27017, and no certification. Advantage is that the developer or dba can get started immediately, without fear of being a bunch of configuration get the upset. Downside is, it is obvious that if you directly on a public server so build mongodb, so everyone can access and modify your database data. By default, mongod is no administrator account. So unless you use the database in the admin db.addUser () command to add the administrator account, and use the – auth argument started mongod, or in a database that anyone can execute all commands without authentication. Including delete and shutdown.
In addition, mongod will default listening 28017 port, also binds to all ip. This is a mongod native web monitoring interface From which you can obtain the current connection to the database, log, status, operating system and other information. If you open the – rest parameters, or even directly through the web interface to query data, perform mongod command. I spent an evening trying to scan a B segment of the domestic and foreign a B segment. The result is open 78 overseas mongodb, and 60 domestic. I randomly picked one of 10 attempts to connect, and only one machine plus the administrator account to do the certification, while others are all undefended city. Shows that the problem is quite serious.
In fact Mongodb itself has a very detailed security configuration guidelines , obviously he is thought of, but he is safe to push to the user to solve the task, this strategy is to bias their ease of use, for safety, then was sidelined .
User information is stored and the certification process
MySQL will be similar to the system user information stored in the mysql.user table. mongodb will also be users of the system username, pwd stored in admin.system.users collection. One pwd = MD5 (username + ": Mongo:" + real_password) . This in itself is not a problem. username and: mongo: equivalent to the original password plus a salt value, even if the attacker access to the database stored in md5 hash, also can not simply from the rainbow tables found in the original password.
We look at mongodb interaction on the client how to achieve certification. mongo client and server interactions are based on clear, so it is easy to network sniffing, etc. crawl. Here we use a database that comes with mongosniff, can dump the client and server interaction for all packets:
[root@localhost bin]# ./mongosniff –source NET lo
sniffing 27017
127.0.0.1:34142 –>> 127.0.0.1:27017 admin.$cmd 62 bytes id:8 8
query: { getnonce: 1.0 } ntoreturn: -1 ntoskip: 0
127.0.0.1:27017 <<– 127.0.0.1:34142 81 bytes id:7 7 – 8
reply n:1 cursorId: 0
{ nonce: "df97182fb47bd6d0", ok: 1.0 }
127.0.0.1:34142 –>> 127.0.0.1:27017 admin.$cmd 152 bytes id:9 9
query: { authenticate: 1.0, user: "admin", nonce: "df97182fb47bd6d0", key: "3d839522b547931057284b6e1cd3a567" } ntoreturn: -1 ntoskip: 0
127.0.0.1:27017 <<– 127.0.0.1:34142 53 bytes id:8 8 – 9
reply n:1 cursorId: 0
{ ok: 1.0 }
- The first step, client to server sends a command getnonce, apply a random value to the server nonce. server returns a 16-bit nonce. The value returned here is not the same every time.
- The second step, client will be entered by the user of the password through the algorithm to generate a key, the Key = MD5 (nonce + username + MD5 (username + ": Mongo:" + real_passwd)) , and the user name together with, nonce returned with to the server. server receives data, whether the first than the last nonce generated nonce, and then compare key == md5 (nonce + username + pwd). If the same is verified by .
As the start to finish no password hash over the network, but use a similar mechanism to the challenge, and every time nonce values are different, so even if the attacker to intercept the key value, useless way through replay attacks by certification.
However, when the attacker access to the database stored in pwd hash, the authentication mechanism does not play a role. Even if the attacker does not break out the pwd hash the password corresponding to the original. But can still send md5 (nonce + username + pwd) directly through the server’s certificate. This server is actually the user’s pwd hash as the real password to verify, there is no text-based password authentication. At this point, and I had analyzed the mysql authentication mechanism is actually no essential difference. Of course, this may not be regarded as weak authentication mechanism, but after all, to get the username and pwd mongodb likely will be even greater.
However, the monitoring interface of the Web there are a number of different certification. When the client source is not localhost, where the user authentication process is based on The certification process is similar with mongo. But a major difference: here’s nonce is not randomized, but each time the default is "abc" .
Using this feature, if the attacker grabbed a successful administrator login, so he can replay this packet, directly to Web monitoring page.
Similarly, an attacker can brute force through this interface directly mongo username and password. In fact 27017 and 28017 are not limited to the password to do guess, but the Web because no time to get nonce, so will be easier.
JavaScript implementation and protection of
Mongodb itself one of the biggest feature is that he is using the javascript language as a command-driven. Hackers would be more concerned about this, because of its command of the degree of support, is to get permission mongodb whether after further penetrate key. Javascript standard library itself is actually quite weakWhether spidermonkey or v8 engine is actually not the system, the file related to the operation support. In this regard, mongodb do some expansion . You can see, ls / cat / cd / hostname even runProgram have been in the context of a Javascript implementation. See here is not can not wait? mongo shell in type ls ("./"), try to see return.
How the results so familiar? Haha, yes, in fact, are these api to achieve in the context of the client. A little joke:) So if you can do in the server side js it? The answer is yes. Use db.eval (code) – in fact the underlying implementation is db. $ Cmd.findOne ({$ eval: code}) – We can implement the server side js code.
Of course, there are in the server side js context expansion . Obviously mongod into account the security issues (and possibly other reasons), so in here and did not provide such a powerful client. Of course mongodb is constantly updated, long-term interest in this list, maybe later have a similar load_file / exec like to achieve.
Eliminate the problems caused by server problems js implementation can be used noscripting parameters.Directly prohibit server-side js code execution.
