Production Mongo Express Takeover of a Major France Based Telecom provider
The quickest and easiest win so far
Orange S.A., formerly France Télécom S.A.
I always enjoyed hacking telecommunication carrier providers, but it had been a while since I did that, and hence one day choose to target Orange S.A considering they have more than 260 million customers, 1,40,000+ employees, and a long history of getting breached already. So as usual while reconning through large chunks of data in WisQuas, @D0rkerDevil and myself stumbled upon several unique hosts and IP addresses. All these are owned by Orange S.A. with their scope being as massive as Apple.
For the past several months, I have been very much including WisQuas in my recon methodology along with several other frameworks.
One thing to take note of is WisQuas will gather all the ASN info of a target, pull all subdomains, IP addresses, status codes, headers, and such relevant information in one single report format that makes our tasks much simpler and faster.
Now, one such unique address that we encountered in the IP ADDRESSES column was 220.127.116.11. We randomly choose this and quickly ran a full port scan on it. (Since Orange has numerous subdomains and our VPS was not running the way we wanted, so unfortunately we couldn’t scan their whole infra due to some trouble).
The IP address was pointing to the following host:-
The Nmap flagged several open ports but port 8081 specifically caught our interest that was running Node.js Mongo Express service on the box.
About Mongo Express:
“Mongo Express is a lightweight web-based administrative interface deployed to manage MongoDB databases interactively. It is authored using Node.js, Express, and Bootstrap packages.”
You can read about it more here.
First, hitting this URL in the web browser displayed this Nginx banner page…
Next, we append the exposed port 8081 to the given IP and surprisingly got unauthorized access to the whole instance.
Now we started browsing through every file inside to extract all the necessary information and also tested for view, write and delete access permissions. As expected, we were able to successfully create and write our own database in it called “pentest” with full privileges and without any restrictions.
The admin database, descriptive logs, system users were all accessible at /db/admin, /db/local/startup_log and /db/admin/system.users directories.
Overall, all these would have permitted adversaries to hijack and abuse the functionalities to view/add/create/delete any user databases, collections, documents as well as any important files or drop a stealthy malware or backdoor as a power user.
At this point, we stopped testing everything and immediately reported this to the Orange CERT team.
Once triaged and the report was acknowledged, an instant patch was applied.
Timeline for the report thread
Reported — 08 January 2021
Triaged & Remediated — 28 January 2021
Disclosure approved — 11 February 2021
No bounty or rewards awarded.