Re: Privilege escalation via LOAD - Mailing list pgsql-bugs

From David Litchfield
Subject Re: Privilege escalation via LOAD
Date
Msg-id 008701c4ffb9$d8b96d80$2100a8c0@SIRIUS
Whole thread Raw
In response to Privilege escalation via LOAD  (John Heasman <john@ngssoftware.com>)
Responses Re: Privilege escalation via LOAD
List pgsql-bugs
John,
_init() is the equivalent of DllMain on Linux/etc; in fact the other
database server I was looking at is vulnerable to this exact problem. If
postgresql accepts CLOB/BLOB input from a client to a table and then can
dump to disk you might be able to achieve it that way - which is how I did
it on the other rdbms.
Cheers,
David

----- Original Message -----
From: "John Heasman" <john@ngssoftware.com>
To: <pgsql-bugs@postgresql.org>
Cc: <dl-advisories@ngssoftware.com>
Sent: Friday, January 21, 2005 7:08 PM
Subject: Privilege escalation via LOAD


> Hi guys,
>
> It appears that low privileged users can invoke the LOAD extension to load
> arbitrary libraries into the postgres process space.  On Windows systems
> this is achieved by calling LoadLibrary
> (src/backend/port/dynloader/win32.c).  The effect of this is that DllMain
> will be executed.  Since LOAD takes an absolute path, UNC paths may be
> used on Windows, thus a low privileged database user can load an arbitrary
> library from an anonymous share they have set up, escalating to the
> privileges of the database user. I am still investigating the impact on
> Unix.
>
> Cheers
>
> John
>
> (this vulnerability was born out of a discussion on #postgresql between
> myself, lurka and dennisb).
>
>

pgsql-bugs by date:

Previous
From: "Hendrik Mueller"
Date:
Subject: BUG #1429: stats tests fails
Next
From: "Yary Hluchan"
Date:
Subject: BUG #1435: Optimizer not using index on large tables when inner joining two views