Re: bugtraq post

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 6/17/07, Ray Stell <stellr@xxxxxxxxxx> wrote:


For the security minded:

Nico Leidecker <nicoLeidecker@xxxxxx> posted this to bugtraq yesterday, fyi.

"I'd like to present a paper about security issues with PostgreSQL. The paper describes weaknesses in the configuration that may
+allow attackers to escalade privileges, execute shell commands and to upload arbitrary (binary) files via SQL injections.

You can either get the TXT version from http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt
Or as PDF at at http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdf

The paper comes with a tool called `pgshell' that can be downloaded at http://www.leidecker.info/pgshell";


Interesting, though it seems its nothing really special. Basically, if you are
a superuser you can do pretty much everything you want.  After all PostgreSQL
is about flexibility.


 The  default  PostgreSQL  configuration from the sources has local trust au-
 thentication enabled. Any connection made from the local host to  the  data-
 base  will  be  accepted and the user directly logged in without the need to
 supply a password. It is hard to understand, why such a feature is  part  ofd
 the  default  configuration  and  yet, the warning in the corresponding file
 ('pg_hba.conf') is unmistakable:


All "default" instalations I've used had "ident sameuser" as default auth method
for postmaster.  Anyhow, one can say Oracle has similar problem, where user
can with help of DBMS_TCP shutdown listener, for example.

And dblink is not installed by default, so DBA should be careful for whom and
how he makes it available (security definer function? View? I guess normal
user should never ever be able to call it directly).

And of course, if user has a superuser privilege, he can do about anything he
wants.  No surprise here, though I enjoyed the equillibristics with
open/writle/close,
when one could put a shell script into temp table, COPY it somewhere and
then system("...") it. ;-)

Anyhow it's good to know that most vulnerabilities in PostgreSQL require
superuser privilege. :-)

  Regards,
    Dawid
[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux