phpMoAdmin (short for PHP MongoDB administration tool) is a free and open source MongoDB GUI tool. phpMoAdmin is written in PHP and is a popular administration tool to manage the noSQL database MongoDB.
A zero-day remote code execution vulnerability was seen in phpMoAdmin which allows an attacker to execute arbitrary code without requiring any authentication. The vulnerability is a command injection flaw which generally occurs when the web application executes certain operating system command based on user inputs, which are part of user requests.
Examining the vulnerability
The vulnerability lies in the moadmin.php file. The way moadmin.php uses the eval function in the code allows attacker to execute shell commands e.g. system, eval, exec, etc.
There are two execution paths for this vulnerability. Here is the vulnerable code from moadmin.php:
- First attack vector is via the find parameter.
Figure 1. Attack vector in find parameter
- Second vector is via the object parameter.
Figure 2. Attack vector in find parameter
The two parameters above allow arbitrary code to be run on a vulnerable server with proper code parameter values.
To exploit the find parameter, we can use various HTTP methods such as POST, GET, CONNECT, and PUT. The second method targeting the object parameter can be exploited with only POST method.
The exploitation of this vulnerability is trivial and we recommend that servers be patched immediately or their security solutions be updated to cover this vulnerability. This is demonstrated below.
- With the find parameter:
POST /xyz/moadmin.php?action=listrows&collection=nnn&find=array();system('ls'); HTTP/1.1
GET /xyz/moadmin.php?action=listrows&collection=nnn&find=array();system('ls'); HTTP/1.1
CONNECT /xyz/moadmin.php?action=listrows&collection=nnn&find=array();system('ls'); HTTP/1.1
PUT /xyz/moadmin.php?action=listrows&collection=nnn&find=array();system('ls'); HTTP/1.1
The commands above will force the server to run the ls command. This is how the attack looks like over the network:
Figure 3. HTTP headers, using the find parameter
The results of the ls command can be seen after the expected HTTP headers. Various HTTP methods can be used to exploit code remotely; to use the find parameter we need to initialize action with listrows and collection=n with random values and find with array(). The ls command is within the system() call at the very end.
- With the Object parameter:
curl "http://xyz /moadmin.php" -d "object=1;system('id');exit"
This is how the attack looks like over the network:
Figure 4. HTTP headers, using the find parameter
Our research indicates that only the POST method can be used to exploit this vulnerability using this particular vector. To use the object parameter, we need to initialize it with a random value. Like the previous example, the results of the ls command can be seen after the expected HTTP headers.
It would not be difficult at all for an attacker to use this vulnerability to run other commands which could compromise the server more completely (such as downloading and running malicious files). This can, in effect, hand over control of the server to the attacker.
Trend Micro Deep Security provides protection to users via the following rule, which has been released to users via update DSRU15-008:
- 1006559 – PHPMoAdmin Unauthorized Remote Code Execution Vulnerability