| From: | John Heasman <john(at)ngssoftware(dot)com> |
|---|---|
| To: | pgsql-bugs(at)postgresql(dot)org |
| Cc: | dl-advisories(at)ngssoftware(dot)com |
| Subject: | Privilege escalation via LOAD |
| Date: | 2005-01-21 19:08:44 |
| Message-ID: | Pine.WNT.4.61.0501211049190.1264@j2 |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Hi guys,
It appears that low privileged users can invoke the LOAD extension to load
arbitrary libraries into the postgres process space. On Windows systems
this is achieved by calling LoadLibrary
(src/backend/port/dynloader/win32.c). The effect of this is that DllMain
will be executed. Since LOAD takes an absolute path, UNC paths may be
used on Windows, thus a low privileged database user can load an arbitrary
library from an anonymous share they have set up, escalating to the
privileges of the database user. I am still investigating the impact on
Unix.
Cheers
John
(this vulnerability was born out of a discussion on #postgresql
between myself, lurka and dennisb).
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Devrim GUNDUZ | 2005-01-21 23:10:43 | Re: BUG #1431: SRPMS fail to compile due to krb5.h |
| Previous Message | Werner Bohl | 2005-01-21 17:57:58 | BUG #1431: SRPMS fail to compile due to krb5.h |