Re: [HACKERS] Hacker found bug in Postgres ?

Matthias Schmitt wrote...

> Hello,
>
> this night we discovered here a strange behaviour on our servers. Somebody
> managed to get access to the UNIX shell using the 'postgres' db
> administrator account. He logged in some machines with a single try ! The
> password was not part of any dictionary. He tried some other accounts,
> without success. Under the user postgres he installed an 'eggdrop' program
> on the machine, implementing an IRC server.

Yikes. Scary.

The first thing that comes to my mind is a buffer overrun
in the FE/BE protocol.

The second thing that comes to mind is sniffed passwords.

Lots of questions come up:

1) Is your postmaster listening on a TCP/IP socket? I.E. do you have -i
as an argument to postmaster when it is running?

2) Have you had any postmaster crashes? Has anyone out there had
any unexpected postmaster crashes? I'd expect if someone has an
exploit for such a bug that it would not always work due to
differences in compilation, probably resulting in a postmaster
crash.

3) Do you do admin work over the net, i.e. from a client machine on a
another machine? Would the password go over the wire then? I'm not
really sure.

4) Do you have a separate account for postmaster, or does it run as 'daemon'
(I think this is the default for the pgsql distributed by RedHat). If
so the compramise may have come from a different service.

5) How secure is your lan.

For now, I'd suggest that people turn off TCP/IP connections unless they
really need it (remove -i). Beyond that they may want to filter port
5432/tcp at a nearby router/firewall. But it is not 100% clear this is
what happened.

Interestinger and interestinger....

-- cary
Cary O'Brien
cobrien(at)radix(dot)net