Privilege escalation via LOAD

From: John Heasman <john(at)ngssoftware(dot)com>
To: pgsql-bugs(at)postgresql(dot)org
Cc: dl-advisories(at)ngssoftware(dot)com
Subject: Privilege escalation via LOAD
Date: 2005-01-21 19:08:44
Message-ID: Pine.WNT.4.61.0501211049190.1264@j2
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-bugs

Hi guys,

It appears that low privileged users can invoke the LOAD extension to load
arbitrary libraries into the postgres process space. On Windows systems
this is achieved by calling LoadLibrary
(src/backend/port/dynloader/win32.c). The effect of this is that DllMain
will be executed. Since LOAD takes an absolute path, UNC paths may be
used on Windows, thus a low privileged database user can load an arbitrary
library from an anonymous share they have set up, escalating to the
privileges of the database user. I am still investigating the impact on



(this vulnerability was born out of a discussion on #postgresql
between myself, lurka and dennisb).


Browse pgsql-bugs by date

  From Date Subject
Next Message Devrim GUNDUZ 2005-01-21 23:10:43 Re: BUG #1431: SRPMS fail to compile due to krb5.h
Previous Message Werner Bohl 2005-01-21 17:57:58 BUG #1431: SRPMS fail to compile due to krb5.h