Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

From: Paul Tillotson <pntil(at)shentel(dot)net>
To: Stephen Frost <sfrost(at)snowman(dot)net>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Date: 2005-04-21 03:06:14
Message-ID: 426718A6.8070703@shentel.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

[snip]

>>The issue pointed out back then was that lots of hosts would have usernames
>>with the same name, namely "postgres". So a distributed attack would be able
>>to use a dictionary attack if it were targeting just the "postgres" user on
>>many hosts.
>>
>>That was deemed not a threat model worth worrying about. It's pretty unlikely
>>someone would have access to the md5sums for many different hosts.
>>
>>
>
>I'm worried about them having access to the md5sums for my host..
>If they did and I used 'md5' in pg_hba.conf they wouldn't need to brute
>force anything, they'd have all they needed to connect as the postgres
>users on my database.
>
>
>
Lest anyone think that this is a theoretical attack, PHPBB suffered an
SQL injection last year that allowed to you to, in essence, learn the
truth or falsity of a boolean condition (nothing more) because you could
add conditions to the WHERE clause.

If the application is connecting to the database as superuser, then the
complete password can be read by testing each letter of the hash using
substring and subselects in an expression. For example,

(SELECT substring(password, 1, 1) = 'F' FROM pg_shadow WHERE
user='postgres')

tests if the first character of the password hash is an F.

By doing this, then the attacker can learn any user's password, even
though he can't perform any inserts, updates, deletes, etc., and he can
only extract data slowly.*

Of course, someone is asking to be 0wn3d if they set up PHPBB to connect
as superuser. However, given the amount of work done to prevent
foot-shooting in other areas (e.g., server refuses to run as root), it
seems inconsistent that using md5 as the connection method opens the
server to any attacker who knows the hashes.

Perhaps for 8.1 a new authentication method, say, "securemd5," ought to
be created in which remedies this deficiency?

Regards,
Paul Tillotson

*Interesting mental exercise: if all that your SQL injection allows is
to add conditions to a WHERE clause evaluated as superuser, how does one
execute arbitrary code? I can't think of how to do it offhand.

- You can't INSERT, UPDATE, DELETE, or perform any DDL (including
creating new functions)
- You can't use COPY to overwrite local files.
- There aren't any built-in functions that write files, change tables,
etc., are there?

Wouldn't you have to go for a buffer overflow in one of the built-in
functions? That's considerably more difficult than simply connecting as
superuser and using COPY to overwrite local files with arbitrary data.

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2005-04-21 03:23:05 Re: [COMMITTERS] pgsql: Install some slightly realistic cost estimation
Previous Message Tom Lane 2005-04-21 03:03:45 Re: WAL/PITR additional items