From: | Sir Mordred The Traitor <mordred(at)s-mail(dot)com> |
---|---|
To: | pgsql-hackers(at)postgresql(dot)org |
Subject: | @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL |
Date: | 2002-08-26 14:46:19 |
Message-ID: | 3d6a3f3b.f7b4a8f2@s-mail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
//@(#) Mordred Labs advisory 0x0007
Release data: 26/08/02
Name: Remote DoS condition in PostgreSQL
Versions affected: all versions
Conditions: entry in a pg_hba.conf file that matches attacker's host.
Risk: average
---[ Description:
Upon connecting to a database, postmaster will fork a new process.
After that, a child process will call a
src/backend/postmaster/postmaster.c:DoBackend() routine,
which after processing a startup packet (see src/include/libpq/pqcomm.h),
will invoke a src/backend/libpq/auth.c:ClientAuthentication() routine to
perform client authentication.
If there is an entry in pg_hba.conf file, that matches an attacker's host,
an attacker could trigger
invocation of src/backend/libpq/auth.c:recv_and_check_password0(), which
fails to detect a DoS condition.
---[ Details:
Consider this snip of code from src/backend/libpq/auth.c:
[snip]
static int recv_and_check_password0(Port *port) {
int32 len;
char *buf;
if (pq_getint(&len, 4) == EOF)
return STATUS_EOF;
len -= 4;
buf = palloc(len); /* len is taken from a packet */
[snip]
Note, that the size of palloced memory is taken from the user's input,
which is stupid if you ask me.
--[ How to reproduce:
I dont want to provide any tools to illustrate this vulnerability.
--[ Solution
Disable network access for untrusted users.
________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com/inf/en
From | Date | Subject | |
---|---|---|---|
Next Message | Shridhar Daithankar | 2002-08-26 14:55:15 | Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL |
Previous Message | Tom Lane | 2002-08-26 14:26:01 | Re: [HACKERS] pg_attribute.attisinherited ? |