Skip site navigation (1) Skip section navigation (2)

Privilege escalation via LOAD

From: John Heasman <john(at)ngssoftware(dot)com>
To: pgsql-bugs(at)postgresql(dot)org
Cc: dl-advisories(at)ngssoftware(dot)com
Subject: Privilege escalation via LOAD
Date: 2005-01-21 19:08:44
Message-ID: Pine.WNT.4.61.0501211049190.1264@j2 (view raw, whole thread or download thread mbox)
Lists: pgsql-bugs
Hi guys,

It appears that low privileged users can invoke the LOAD extension to load 
arbitrary libraries into the postgres process space.  On Windows systems 
this is achieved by calling LoadLibrary 
(src/backend/port/dynloader/win32.c).  The effect of this is that DllMain 
will be executed.  Since LOAD takes an absolute path, UNC paths may be 
used on Windows, thus a low privileged database user can load an arbitrary 
library from an anonymous share they have set up, escalating to the 
privileges of the database user. I am still investigating the impact on 



(this vulnerability was born out of a discussion on #postgresql 
between myself, lurka and dennisb).


pgsql-bugs by date

Next:From: Devrim GUNDUZDate: 2005-01-21 23:10:43
Subject: Re: BUG #1431: SRPMS fail to compile due to krb5.h
Previous:From: Werner BohlDate: 2005-01-21 17:57:58
Subject: BUG #1431: SRPMS fail to compile due to krb5.h

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group