Re: PostgreSQL Service on Windows does not start. ~ "is not a valid Win32 application" - Mailing list pgsql-hackers
Hi Naoya
I think, you should change the subject line to "Unquoted service path containing space is vulnerable and can be exploited on Windows" to get the attention.. :)
BTW, in your case, the file "Program" should be an exe and not just any other file to exploit this vulnerability. Right?
On Tue, Oct 29, 2013 at 11:34 AM, Naoya Anzai <anzai-naoya@mxu.nes.nec.co.jp> wrote:
Hi,Sandeep
Thanks.
Sorry, There was a mistake in what I said.
I said> Not only "pg_ctl.exe" but "postgres.exe" also have the same problem.but, to say it correctly,
"postgres.exe" does not have the problem.
Source that contains the problem is only "pg_ctl.c".YES, I had submitted there already,But nobody has responded me yet.
> So, this is not an installer issue. Is this bug raised to the PostgreSQL community? If yes, you should submit the patch there.
http://postgresql.1045698.n5.nabble.com/PostgreSQL-Service-on-Windows-does-not-start-td5774206.html
Regards,
Naoya> <http://www.enterprisedb.com/sites/default/files/EDB-logo-4c.png>
> So, this is not an installer issue. Is this bug raised to the PostgreSQL community? If yes, you should submit the patch there.
>
>
> On Tue, Oct 29, 2013 at 6:23 AM, Naoya Anzai <anzai-naoya@mxu.nes.nec.co.jp> wrote:
>
>
> Hi, Asif
>
> Thank you for providing my patch (pg_ctl.c.patch) to Sandeep on my behalf.
>
>
> > Good finding. I have attached another version of patch (pg_ctl.c_windows_vulnerability.patch) attached that has fewer lines of code changes, can you please take a look ?. Thanks.
>
>
> I think your patch is not sufficient to fix.
> Not only "pg_ctl.exe" but "postgres.exe" also have the same problem.
> Even if your patch is attached,
> A Path of "postgres.exe" passed to CreateRestrictedProcess is not enclosed in quotation.(See pgwin32_ServiceMain at pg_ctl.c)
>
> So, processing enclosed in quotation should do in both conditions.
>
>
> Regards,
> Naoya
>
> ---
> Naoya Anzai
> Engineering Department
> NEC Soft, Ltd.
> E-Mail: anzai-naoya@mxu.nes.nec.co.jp
> ---
>
>
> > Hi Sandeep,
> >
> > PFA Naoya's patch (pg_ctl.c.patch).
> >
> > Hi Naoya,
> >
> > Good finding. I have attached another version of patch (pg_ctl.c_windows_vulnerability.patch) attached that has fewer lines of code changes, can you please take a look ?. Thanks.
> >
> > Best Regards,
> > Asif Naeem
> >
> >
> > On Mon, Oct 28, 2013 at 4:46 PM, Sandeep Thakkar <sandeep.thakkar@enterprisedb.com> wrote:
> >
> >
> > Hi Dave
> >
> > We register the service using pg_ctl. When I manually executed the following on the command prompt, I saw that the service path of the registered service did not have the pg_ctl.exe path in quotes. May be it should be handled in the pg_ctl code.
> >
> > c:\Users\Sandeep Thakkar\Documents>"c:\Program Files\PostgreSQL\9.3\bin\pg_ctl.e
> > xe" register -N "pg-9.3" -U "NT AUTHORITY\NetworkService" -D "c:\Program Files\P
> > ostgreSQL\9.3\data" -w
> >
> > Naoya, I could not find your patch here. Can you please share it again?
> >
> >
> >
> > On Mon, Oct 28, 2013 at 2:53 PM, Dave Page <dpage@pgadmin.org> wrote:
> >
> >
> > Sandeep, can you look at this please? Thanks.
> >
> > On Mon, Oct 28, 2013 at 8:18 AM, Asif Naeem <anaeem.it@gmail.com> wrote:
> > > It is related to windows unquoted service path vulnerability in the the
> > > installer that creates service path without quotes that make service.exe to
> > > look for undesirable path for executable.
> > >
> > > postgresql-9.3 service path : C:/Users/asif/Desktop/Program
> > > files/9.3/bin/pg_ctl.exe runservice -N "postgresql-9.3" -D
> > > "C:/Users/asif/Desktop/Program files/9.3/data" -w
> > >
> > > service.exe
> > >>
> > >> C:\Users\asif\Desktop\Program NAME NOT FOUND
> > >> C:\Users\asif\Desktop\Program.exe NAME NOT FOUND
> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe ACCESS DENIED
> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe ACCESS DENIED
> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe runservice NAME
> > >> NOT FOUND
> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe runservice.exe
> > >> NAME NOT FOUND
> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe runservice -N
> > >> NAME NOT FOUND
> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe runservice -N.exe
> > >> NAME NOT FOUND
> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe runservice -N
> > >> "postgresql-9.3" NAME INVALID
> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe runservice -N
> > >> "postgresql-9.3".exe NAME INVALID
> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe runservice -N
> > >> "postgresql-9.3" -D NAME INVALID
> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe runservice -N
> > >> "postgresql-9.3" -D.exe NAME INVALID
> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe runservice -N
> > >> "postgresql-9.3" -D "C:\Users\asif\Desktop\Program NAME INVALID
> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe runservice -N
> > >> "postgresql-9.3" -D "C:\Users\asif\Desktop\Program.exe NAME INVALID
> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe runservice -N
> > >> "postgresql-9.3" -D "C:\Users\asif\Desktop\Program files\9.3\data" NAME
> > >> INVALID
> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe runservice -N
> > >> "postgresql-9.3" -D "C:\Users\asif\Desktop\Program files\9.3\data".exe
> > >> NAME INVALID
> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe runservice -N
> > >> "postgresql-9.3" -D "C:\Users\asif\Desktop\Program files\9.3\data" -w
> > >> NAME INVALID
> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe runservice -N
> > >> "postgresql-9.3" -D "C:\Users\asif\Desktop\Program files\9.3\data" -w.exe
> > >> NAME INVALID
> > >
> > >
> > > Fix :
> > >
> > > postgresql-9.3 service path : "C:/Users/asif/Desktop/Program
> > > files/9.3/bin/pg_ctl.exe" runservice -N "postgresql-9.3" -D
> > > "C:/Users/asif/Desktop/Program files/9.3/data" -w
> > >
> > > It would be good if this is reported on pg installer forum or security
> > > forum. Thanks.
> > >
> > > Regards,
> > > Asif Naeem
> > >
> > > On Mon, Oct 28, 2013 at 12:06 PM, Naoya Anzai
> > > <anzai-naoya@mxu.nes.nec.co.jp> wrote:
> > >>
> > >> Hi, Asif.
> > >>
> > >> Thank you for response.
> > >>
> > >>
> > >> > C:\Users\asif\Desktop\Program files\9.3>"bin\pg_ctl" -D
> > >> > "C:\Users\asif\Desktop\Program files\9.3\data1" -l logfile start
> > >> > server starting
> > >>
> > >> This failure does not occur by the command line.
> > >> PostgreSQL needs to start by Windows Service.
> > >>
> > >> Additionally,In this case,
> > >> A file "Program" needs to be exist at "C:\Users\asif\Desktop\", and
> > >> "postgres.exe" needs to be exist at "C:\Users\asif\Desktop\Program
> > >> files\9.3\bin".
> > >> ------------
> > >> C:\Users\asif\Desktop\Program files\9.3\bin>dir
> > >> ...
> > >> 4,435,456 postgres.exe
> > >> 80,896 pg_ctl.exe
> > >> ...
> > >>
> > >> C:\Users\asif\Desktopp>dir
> > >> ...
> > >> 0 Program
> > >> <DIR> Program files
> > >> ...
> > >> ------------
> > >>
> > >> Regards,
> > >> Naoya
> > >>
> > >> > Hi Naoya,
> > >> >
> > >> > I am not able to reproduce the problem. Do you mean pg windows service
> > >> > installed by installer is not working or bin\pg_ctl binary is not accepting
> > >> > spaces in the patch ?. Following worked for me i.e.
> > >> >
> > >> >
> > >> > C:\Users\asif\Desktop\Program files\9.3>"bin\pg_ctl" -D
> > >> > "C:\Users\asif\Desktop\Program files\9.3\data1" -l logfile start
> > >> > server starting
> > >> >
> > >> >
> > >> > Can you please share the exact steps ?. Thanks.
> > >> >
> > >> >
> > >> > Regards,
> > >> > Muhammad Asif Naeem
> > >> >
> > >> >
> > >> >
> > >> > On Mon, Oct 28, 2013 at 10:26 AM, Naoya Anzai
> > >> > <anzai-naoya@mxu.nes.nec.co.jp> wrote:
> > >> >
> > >> >
> > >> > Hi All,
> > >> >
> > >> > I have found a case that PostgreSQL Service does not start.
> > >> > When it happens, the following error appears.
> > >> >
> > >> > "is not a valid Win32 application"
> > >> >
> > >> > This failure occurs when the following conditions are true.
> > >> >
> > >> > 1. There is "postgres.exe" in any directory that contains a space,
> > >> > such as "Program Files".
> > >> >
> > >> > e.g.)
> > >> > C:\Program Files\PostgreSQL\bin\postgres.exe
> > >> >
> > >> > 2. A file using the first white space-delimited
> > >> > tokens of that directory as the file name exists,
> > >> > and there is it in the same hierarchy.
> > >> >
> > >> > e.g.)
> > >> > C:\Program //file
> > >> >
> > >> > "pg_ctl.exe" as PostgreSQL Service creates a postgres
> > >> > process using an absolute path which indicates the
> > >> > location of "postgres.exe",but the path is not enclosed
> > >> > in quotation.
> > >> >
> > >> > Therefore,if the above-mentioned conditions are true,
> > >> > CreateProcessAsUser(a Windows Function called by pg_ctl.exe)
> > >> > tries to create a process using the other file such
> > >> > as "Program", so the service fails to start.
> > >> >
> > >> > Accordingly, I think that the command path should be
> > >> > enclosed in quotation.
> > >> >
> > >> > I created a patch to fix this failure,
> > >> > So could anyone confirm?
> > >> >
> > >> > Regards,
> > >> >
> > >> > Naoya
> > >> >
> > >> > ---
> > >> > Naoya Anzai
> > >> > Engineering Department
> > >> > NEC Soft, Ltd.
> > >> > E-Mail: anzai-naoya@mxu.nes.nec.co.jp
> > >> > ---
> > >> >
> > >> >
> > >> > --
> > >> > Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
> > >> > To make changes to your subscription:
> > >> > http://www.postgresql.org/mailpref/pgsql-hackers
> > >> >
> > >> >
> > >> >
> > >> >
> > >> >>
> >
> >
>
> > --
> > Dave Page
> > Blog: http://pgsnake.blogspot.com
> > Twitter: @pgsnake
> >
> > EnterpriseDB UK: http://www.enterprisedb.com
> > The Enterprise PostgreSQL Company
> >
> >
> >
> >
> >
> > --
> >
> > Sandeep Thakkar
> > Senior Software Engineer
> >
> >
>
> > Phone: +91.20.30589505 <tel:%2B91.20.30589505>
>
> >
> > Website: www.enterprisedb.com
> > EnterpriseDB Blog: http://blogs.enterprisedb.com/
> > Follow us on Twitter: http://www.twitter.com/enterprisedb
> >
> >
> >
> >
> >
> >
>
>
>
>
>
>
>
>
> --
>
> Sandeep Thakkar
> Senior Software Engineer>
> Phone: +91.20.30589505
>
> Website: www.enterprisedb.com
> EnterpriseDB Blog: http://blogs.enterprisedb.com/
> Follow us on Twitter: http://www.twitter.com/enterprisedb
>
>
>Regards,
Naoya
---
Naoya Anzai
Engineering Department
NEC Soft, Ltd.
E-Mail: anzai-naoya@mxu.nes.nec.co.jp
---
Sandeep Thakkar
Phone: +91.20.30589505
Website: www.enterprisedb.com
EnterpriseDB Blog: http://blogs.enterprisedb.com/
Follow us on Twitter: http://www.twitter.com/enterprisedb
This e-mail message (and any attachment) is intended for the use of the individual or entity to whom it is addressed. This message contains information from EnterpriseDB Corporation that may be privileged, confidential, or exempt from disclosure under applicable law. If you are not the intended recipient or authorized to receive this for the intended recipient, any use, dissemination, distribution, retention, archiving, or copying of this communication is strictly prohibited. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and delete this message.
Senior Software Engineer
Phone: +91.20.30589505
Website: www.enterprisedb.com
EnterpriseDB Blog: http://blogs.enterprisedb.com/
Follow us on Twitter: http://www.twitter.com/enterprisedb
This e-mail message (and any attachment) is intended for the use of the individual or entity to whom it is addressed. This message contains information from EnterpriseDB Corporation that may be privileged, confidential, or exempt from disclosure under applicable law. If you are not the intended recipient or authorized to receive this for the intended recipient, any use, dissemination, distribution, retention, archiving, or copying of this communication is strictly prohibited. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and delete this message.
pgsql-hackers by date: