MongoDB NoSQLi in Cockpit CMS - use of $func?

Question

Please explain how this recent Cockpit CMS exploit works, specifically using the $func operator of the MongoLite library, in more detail. How does it exactly make the PHP code behave?

As I understand it, the PHP code uses MongoLite to connect to MongoDB, and the vulnerability is the PHP code allowing an array to be provided in JSON/BSON rather than a string.

The array uses $func to call var_dump, and dumps the variable 'user' to expose all user data in the database.

• Isn't Mongolite an R library?
• How does var_dump know to read the user variable? How does that look in terms of the process in the PHP code and access to the database? After compromising the machine, it seems to even use an Sqlite3 db.
• NoSQLi is read-only after MongoDB version 2.4?

On a related note, could you point me to an example and resource about abusing PHP’s built-in associative array processing?

Answer 1

I'll try to answer your multiple questions, one at the time.

1. There may be many projects with the same name, this is using this PHP library: https://github.com/agentejo/mongo-lite

2. The affected code (per the linked article) invokes any callable PHP function: https://github.com/agentejo/cockpit/blob/0.11.1/lib/MongoLite/Database.php#L434

 private static function evaluate($func, $a, $b) {
...
<snip>
...
            case '$func' :
            case '$fn' :
            case '$f' :
                if (! \is_callable($b))
                    throw new \InvalidArgumentException('Function should be callable');
                $r = $b($a);
                break;

Where $b is the value of the $func key and I assume $a is the object we reference (user based on the JSON in the POST request).

3. ??? The library claims: "Schemaless database on top of SqLite"

Due to the PHP library invoking any callable function, if you could find a way to control the parameter passed into the function you could reliably call shell_exec($a); to run commands instead of doing var dump of password reset tokens and using that value to reset a users password and logging on with the new password, but there may not be a good way to control the argument so I'll leave that investigation up to someone else.