Skip site navigation (1) Skip section navigation (2)

Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL

From: Sir Mordred The Traitor <mordred(at)s-mail(dot)com>
To: tgl(at)sss(dot)pgh(dot)pa(dot)us
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL
Date: 2002-08-26 15:25:18
Message-ID: 3d6a485e.d7ababb1@s-mail.com (view raw or flat)
Thread:
Lists: pgsql-hackers
The point is really simple.
Allocate a huge chunk of memory (no sense to cause out of memory error,
as palloc will bail is a requested size > 1 gb). The postgres will be ready
to suck your input,
via pg_getbytes(), now in a loop send junk to postgresql.
Of course you can fork a number of processes to improve your effect.
The issues is that postgres allocate a chunk of memory and reads data,
using an
user's input, which has not completed authentication.
This is badly anyway.
Of course i tried, and wrote proggy for that, 
but i can repeat, i dont want to provide it here.


>Sir Mordred The Traitor <mordred(at)s-mail(dot)com> writes:
>> Note, that the size of palloced memory is taken from the user's input,
>> which is stupid if you ask me.
>
>Beyond causing an "out of memory" error during the handshake, I fail to
>see how there can be any problem.  palloc is considerably more robust
>than malloc.
>
>> I dont want to provide any tools to illustrate this vulnerability.
>
>Perhaps you haven't tried.
>
>It may indeed make sense to put a range check here, but I'm getting
>tired of hearing the words "dos attack" applied to conditions that
>cannot be exploited to cause any real problem.  All you are
>accomplishing is to spread FUD among people who aren't sufficiently
>familiar with the code to evaluate the seriousness of problems...
>
>			regards, tom lane
>
>---------------------------(end of broadcast)---------------------------
>TIP 2: you can get off all lists at once with the unregister command
>    (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
>
>


________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com/inf/en

pgsql-hackers by date

Next:From: Þórhallur HálfdánarsonDate: 2002-08-26 15:27:57
Subject: Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL
Previous:From: Lamar OwenDate: 2002-08-26 15:18:48
Subject: Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group