Thread: Unquoted service path containing space is vulnerable and can be exploited on Windows

Hi All

The following problem is what I had posted before.
I have received comments from PostgreSQL-hackers that
this problem have a possibility to exploit the vulnerability.


http://postgresql.1045698.n5.nabble.com/PostgreSQL-Service-on-Windows-does-not-start-quot-is-not-a-valid-Win32-application-quot-td5776048.html

So could anyone confirm?

Regards,
Naoya

> Hi All,
>
> I have found a case that PostgreSQL Service does not start.
> When it happens, the following error appears.
>
>  "is not a valid Win32 application"
>
> This failure occurs when the following conditions are true.
>
> 1. There is "postgres.exe" in any directory that contains a space,
>    such as "Program Files".
>
>    e.g.)
>    C:\Program Files\PostgreSQL\bin\postgres.exe
>
> 2. A file using the first white space-delimited
>    tokens of that directory as the file name exists,
>    and there is it in the same hierarchy.
>
>    e.g.)
>    C:\Program     //file
>
> "pg_ctl.exe" as PostgreSQL Service creates a postgres
> process using an absolute path which indicates the
> location of "postgres.exe",but the path is not enclosed
> in quotation.
>
> Therefore,if the above-mentioned conditions are true,
> CreateProcessAsUser(a Windows Function called by pg_ctl.exe)
> tries to create a process using the other file such
> as "Program", so the service fails to start.
>
> Accordingly, I think that the command path should be
> enclosed in quotation.
>
> I created a patch to fix this failure,
> So could anyone confirm?
>
> Regards,
>
> Naoya
>
> ---
> Naoya Anzai
> Engineering Department
> NEC Soft, Ltd.
> E-Mail: anzai-naoya@mxu.nes.nec.co.jp
> ---
>
>

---
Naoya Anzai
Engineering Department
NEC Soft, Ltd.
E-Mail: anzai-naoya@mxu.nes.nec.co.jp
---