Threat Brief MongoDB Vulnerability (CVE-2025-14847)

src/network-services-pentesting/27017-27018-mongodb.md

@@ -104,7 +104,7 @@ If you are root you can **modify** the **mongodb.conf** file so no credentials a
 
 ## MongoBleed zlib Memory Disclosure (CVE-2025-14847)
 
-A widespread unauthenticated memory disclosure ("MongoBleed") impacts MongoDB 3.6–8.2 whenever the **zlib network compressor is enabled**. During OP\_MSG decompression MongoDB returns the **attacker-controlled allocation length instead of the real uncompressed length**, so the reply contains uninitialized server memory that belongs to other connections, `/proc` files, or the WiredTiger cache.
+A widespread unauthenticated memory disclosure ("MongoBleed") impacts MongoDB 3.6–8.2 when the **zlib network compressor is enabled**. The `OP_COMPRESSED` header trusts an attacker-supplied `uncompressedSize`, so the server allocates a buffer of that size and copies it back into responses even though only a much smaller compressed payload was provided. The extra bytes are **uninitialized heap data** from other connections, `/proc`, or the WiredTiger cache. Attackers then omit the expected **BSON `\x00` terminator** so MongoDB’s parser keeps scanning that oversized buffer until it finds a terminator, and the error response echoes both the malicious document and the scanned heap bytes **pre-auth** on TCP/27017.
 
 ### Exposure requirements & quick checks
 
@@ -119,28 +119,52 @@ db.adminCommand({getParameter: 1, networkMessageCompressors: 1})
 
 ### Exploitation & harvesting workflow
 
-1. Initiate the wire-protocol handshake while advertising `compressors:["zlib"]` and force the session to use zlib.
-2. Send crafted compressed OP\_MSG frames whose declared `uncompressedSize` is much larger than the real payload so MongoDB allocates a huge buffer.
-3. Because MongoDB copies the entire buffer length into the reply, the BSON parser treats **garbage field names** as valid data until it hits a `\x00`, leaking chunks of process memory on every response.
-4. Vary the claimed document length/offset to walk process memory and aggregate leaks.
+1. Initiate the wire-protocol handshake advertising `compressors:["zlib"]` so the session uses zlib.
+2. Send `OP_COMPRESSED` frames whose declared `uncompressedSize` is far larger than the real decompressed payload to force **oversized heap allocation full of old data**.
+3. Craft the embedded BSON **without a final `\x00`** so the parser walks past attacker-controlled data into the oversized buffer while looking for a terminator.
+4. MongoDB emits an error that includes the original message plus whatever heap bytes were scanned, leaking memory. Repeat with varying lengths/offsets to aggregate secrets (creds/API keys/session tokens), WiredTiger stats, and `/proc` artifacts.
 
 The public PoC automates the probing offsets and carving of the returned fragments:
 
 ```bash
 python3 mongobleed.py --host <target> --max-offset 50000 --output leaks.bin
 ```
 
-Running wider offset ranges consistently yields:
-
-- MongoDB internal logs, connection UUIDs, client IPs and WireTiger stats.
-- `/proc` artifacts such as `meminfo`, socket statistics or container paths helpful for container escape or lateral movement.
-- Secrets that happen to be resident in memory (database creds, API tokens, cloud keys, session cookies, etc.).
+### Detection noise signal (high-rate connections)
+
+The attack usually generates many short-lived requests. Watch for spikes of inbound connections to `mongod`/`mongod.exe`. Example XQL hunt (>500 connections/min per remote IP, excluding RFC1918/loopback/link-local/mcast/broadcast/reserved ranges by default):
+
+<details>
+<summary>Cortex XQL high-velocity Mongo connections</summary>
+
+```sql
+// High-velocity inbound connections to mongod/mongod.exe (possible MongoBleed probing)
+
+dataset = xdr_data
+| filter event_type = ENUM.NETWORK
+| filter lowercase(actor_process_image_name) in ("mongod", "mongod.exe")
+| filter action_network_is_server = true
+| filter action_remote_ip not in (null, "")
+| filter incidr(action_remote_ip, "10.0.0.0/8") != true and
+        incidr(action_remote_ip, "192.168.0.0/16") != true and
+        incidr(action_remote_ip, "172.16.0.0/12") != true and
+        incidr(action_remote_ip, "127.0.0.0/8") != true and
+        incidr(action_remote_ip, "169.254.0.0/16") != true and
+        incidr(action_remote_ip, "224.0.0.0/4") != true and
+        incidr(action_remote_ip, "255.255.255.255/32") != true and
+        incidr(action_remote_ip, "198.18.0.0/15") != true
+| filter action_network_session_duration <= 5000
+| bin _time span = 1m
+| comp count(_time) as Counter by agent_hostname, action_remote_ip, _time
+| filter Counter >= 500
+```
 
-At scale, attackers first fingerprint `mongod` instances (e.g., Censys saw >87k exposed services), confirm the version/compressor, then loop the above sequence to build a searchable dump of leaked strings for follow-on compromise.
+</details>
 
 
 ## References
 
+- [Unit 42 – Threat Brief: MongoDB Vulnerability (CVE-2025-14847)](https://unit42.paloaltonetworks.com/mongobleed-cve-2025-14847/)
 - [Tenable – CVE-2025-14847 (MongoBleed): MongoDB Memory Leak Vulnerability Exploited in the Wild](https://www.tenable.com/blog/cve-2025-14847-mongobleed-mongodb-memory-leak-vulnerability-exploited-in-the-wild)
 - [MongoDB Security Advisory SERVER-115508](https://jira.mongodb.org/browse/SERVER-115508)
 - [Censys – MongoBleed Advisory](https://censys.com/advisory/cve-2025-14847)