From: | Naoya Anzai <anzai-naoya(at)mxu(dot)nes(dot)nec(dot)co(dot)jp> |
---|---|
To: | "pgsql-bugs(at)postgresql(dot)org" <pgsql-bugs(at)postgresql(dot)org> |
Cc: | Akio Iwaasa <iwaasa(at)mxs(dot)nes(dot)nec(dot)co(dot)jp> |
Subject: | Unquoted service path containing space is vulnerable and can be exploited on Windows |
Date: | 2013-10-29 07:41:49 |
Message-ID: | 116262CF971C844FB6E793F8809B51C6B2D05C@BPXM02GP.gisp.nec.co.jp |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
Hi All
The following problem is what I had posted before.
I have received comments from PostgreSQL-hackers that
this problem have a possibility to exploit the vulnerability.
So could anyone confirm?
Regards,
Naoya
> Hi All,
>
> I have found a case that PostgreSQL Service does not start.
> When it happens, the following error appears.
>
> "is not a valid Win32 application"
>
> This failure occurs when the following conditions are true.
>
> 1. There is "postgres.exe" in any directory that contains a space,
> such as "Program Files".
>
> e.g.)
> C:\Program Files\PostgreSQL\bin\postgres.exe
>
> 2. A file using the first white space-delimited
> tokens of that directory as the file name exists,
> and there is it in the same hierarchy.
>
> e.g.)
> C:\Program //file
>
> "pg_ctl.exe" as PostgreSQL Service creates a postgres
> process using an absolute path which indicates the
> location of "postgres.exe",but the path is not enclosed
> in quotation.
>
> Therefore,if the above-mentioned conditions are true,
> CreateProcessAsUser(a Windows Function called by pg_ctl.exe)
> tries to create a process using the other file such
> as "Program", so the service fails to start.
>
> Accordingly, I think that the command path should be
> enclosed in quotation.
>
> I created a patch to fix this failure,
> So could anyone confirm?
>
> Regards,
>
> Naoya
>
> ---
> Naoya Anzai
> Engineering Department
> NEC Soft, Ltd.
> E-Mail: anzai-naoya(at)mxu(dot)nes(dot)nec(dot)co(dot)jp
> ---
>
>
---
Naoya Anzai
Engineering Department
NEC Soft, Ltd.
E-Mail: anzai-naoya(at)mxu(dot)nes(dot)nec(dot)co(dot)jp
---
Attachment | Content-Type | Size |
---|---|---|
pg_ctl.c.patch | application/octet-stream | 1.1 KB |
ATT00001.txt | text/plain | 155 bytes |
From | Date | Subject | |
---|---|---|---|
Next Message | ale.suzzi | 2013-10-29 09:07:31 | BUG #8565: Uninstall procedure |
Previous Message | Tom Lane | 2013-10-29 03:31:42 | Re: OSX doesn't accept identical source/target for strcpy() anymore |