Re: CVE-2019-9193 about COPY FROM/TO PROGRAM

Hi

On 2019-04-04 21:50:41 +0200, Magnus Hagander wrote:
> On Thu, Apr 4, 2019 at 9:45 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> > Jeremy Schneider <schnjere(at)amazon(dot)com> writes:
> > > I'm all for having clear documentation about the security model in
> > > PostgreSQL, but I personally wouldn't be in favor of adding extra
> > > wording to the docs just to pacify concerns about a CVE which may have
> > > been erroneously granted by an assigning authority, who possibly should
> > > have done better due diligence reviewing the content. Particularly if
> > > there's any possibility that the decision to assign the number can be
> > > appealed/changed, though admittedly I know very little about the CVE
> > > process.
> >
> > Just FYI, we have filed a dispute with Mitre about the CVE, and also
> > reached out to trustwave to try to find out why they filed the CVE
> > despite the earlier private discussion.
> >
>
> The original author has also pretty much acknowledged in comments on his
> blog and on twitter that it's not actually a vulnerability. (He doesn't
> agree with the design decision, which is apparently enough for a high
> scoring CVE registration).

Btw, the xp_cmdshell thing the author references several times?
It can be enabled via tsql if you have a privileged account.

https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-2017

and it allows to execute shell code (as a specified user) even when not
a sysadmin:
https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017#xp_cmdshell-proxy-account

Greetings,

Andres Freund