Обсуждение: BUG #16448: Remote code execution vulnerability
The following bug has been logged on the website: Bug reference: 16448 Logged by: yi Ding Email address: abcxiaod@126.com PostgreSQL version: 10.12 Operating system: linux Description: A common user created a function in the public space and added some malicious codes in the function, when other users with superuser rights call this function, the malicious code will be executed , so as to achieve the purpose of remote malicious code execution. First, Non-superuser lh defines a function named upper, which contains the statement to modify user permissions. SQL: CREATE TABLE public.testlh AS SELECT ‘lh’::varchar AS contents; CREATE FUNCTION public.upper(varchar) RETURNS TEXT AS $$ ALTER ROLE lh SUPERUSER; SELECT pg_catalog.upper($1); $$ LANGUAGE SQL VOLATILE; Second, Superuser pg01 will execute the above statement after calling the upper function, whice will change user lh to a super user.
On 18/05/2020 12:14, PG Bug reporting form wrote: > The following bug has been logged on the website: > > Bug reference: 16448 > Logged by: yi Ding > Email address: abcxiaod@126.com > PostgreSQL version: 10.12 > Operating system: linux > Description: > > A common user created a function in the public space and added some > malicious codes in the function, when other users with superuser rights call > this function, the malicious code will be executed , so as to achieve the > purpose of remote malicious code execution. > > First, Non-superuser lh defines a function named upper, which contains > the statement to modify user permissions. > SQL: > CREATE TABLE public.testlh AS SELECT ‘lh’::varchar AS contents; > CREATE FUNCTION public.upper(varchar) RETURNS TEXT AS $$ > ALTER ROLE lh SUPERUSER; > SELECT pg_catalog.upper($1); > $$ LANGUAGE SQL VOLATILE; > > Second, Superuser pg01 will execute the above statement after calling the > upper function, whice will change user lh to a super user. See https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058%3A_Protect_Your_Search_Path - Heikki
On Mon, May 18, 2020 at 2:41 AM PG Bug reporting form <noreply@postgresql.org> wrote:
The following bug has been logged on the website:
Bug reference: 16448
Logged by: yi Ding
Email address: abcxiaod@126.com
PostgreSQL version: 10.12
Operating system: linux
Description:
A common user created a function in the public space and added some
malicious codes in the function, when other users with superuser rights call
this function, the malicious code will be executed , so as to achieve the
purpose of remote malicious code execution.
The project respectfully requests that security related concerns be reported to the security list as opposed to the public bug report listing.
David J.