diff --git a/src/network-services-pentesting/27017-27018-mongodb.md b/src/network-services-pentesting/27017-27018-mongodb.md index c989b3ee503..0cd0a06c5d0 100644 --- a/src/network-services-pentesting/27017-27018-mongodb.md +++ b/src/network-services-pentesting/27017-27018-mongodb.md @@ -102,9 +102,50 @@ The tool [https://github.com/andresriancho/mongo-objectid-predict](https://githu If you are root you can **modify** the **mongodb.conf** file so no credentials are needed (_noauth = true_) and **login without credentials**. ---- +## MongoBleed zlib Memory Disclosure (CVE-2025-14847) -{{#include ../banners/hacktricks-training.md}} +A widespread unauthenticated memory disclosure ("MongoBleed") impacts MongoDB 3.6–8.2 whenever the **zlib network compressor is enabled**. During OP\_MSG decompression MongoDB returns the **attacker-controlled allocation length instead of the real uncompressed length**, so the reply contains uninitialized server memory that belongs to other connections, `/proc` files, or the WiredTiger cache. + +### Exposure requirements & quick checks + +- Server version must be within the vulnerable ranges (3.6, 4.0, 4.2, 4.4.0–4.4.29, 5.0.0–5.0.31, 6.0.0–6.0.26, 7.0.0–7.0.27, 8.0.0–8.0.16, 8.2.0–8.2.2). +- `net.compression.compressors` or `networkMessageCompressors` must include `zlib` (default on many builds). Check it from the shell with: + +```javascript +db.adminCommand({getParameter: 1, networkMessageCompressors: 1}) +``` + +- The attacker only needs network access to the MongoDB port. No authentication is necessary. + +### Exploitation & harvesting workflow + +1. Initiate the wire-protocol handshake while advertising `compressors:["zlib"]` and force the session to use zlib. +2. Send crafted compressed OP\_MSG frames whose declared `uncompressedSize` is much larger than the real payload so MongoDB allocates a huge buffer. +3. Because MongoDB copies the entire buffer length into the reply, the BSON parser treats **garbage field names** as valid data until it hits a `\x00`, leaking chunks of process memory on every response. +4. Vary the claimed document length/offset to walk process memory and aggregate leaks. + +The public PoC automates the probing offsets and carving of the returned fragments: +```bash +python3 mongobleed.py --host --max-offset 50000 --output leaks.bin +``` + +Running wider offset ranges consistently yields: + +- MongoDB internal logs, connection UUIDs, client IPs and WireTiger stats. +- `/proc` artifacts such as `meminfo`, socket statistics or container paths helpful for container escape or lateral movement. +- Secrets that happen to be resident in memory (database creds, API tokens, cloud keys, session cookies, etc.). + +At scale, attackers first fingerprint `mongod` instances (e.g., Censys saw >87k exposed services), confirm the version/compressor, then loop the above sequence to build a searchable dump of leaked strings for follow-on compromise. +## References + +- [Tenable – CVE-2025-14847 (MongoBleed): MongoDB Memory Leak Vulnerability Exploited in the Wild](https://www.tenable.com/blog/cve-2025-14847-mongobleed-mongodb-memory-leak-vulnerability-exploited-in-the-wild) +- [MongoDB Security Advisory SERVER-115508](https://jira.mongodb.org/browse/SERVER-115508) +- [Censys – MongoBleed Advisory](https://censys.com/advisory/cve-2025-14847) +- [MongoBleed PoC (joe-desimone/mongobleed)](https://github.com/joe-desimone/mongobleed) + +--- + +{{#include ../banners/hacktricks-training.md}}