| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "David Litchfield" <davidl(at)ngssoftware(dot)com> |
| Cc: | "John Heasman" <john(at)ngssoftware(dot)com>, pgsql-bugs(at)postgresql(dot)org, dl-advisories(at)ngssoftware(dot)com |
| Subject: | Re: Privilege escalation via LOAD |
| Date: | 2005-01-25 18:54:29 |
| Message-ID: | 5818.1106679269@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
"David Litchfield" <davidl(at)ngssoftware(dot)com> writes:
> _init() is the equivalent of DllMain on Linux/etc; in fact the other
> database server I was looking at is vulnerable to this exact problem. If
> postgresql accepts CLOB/BLOB input from a client to a table and then can
> dump to disk you might be able to achieve it that way - which is how I did
> it on the other rdbms.
Just for the record, I don't believe there is any way to make Postgres
itself write out a shared library for you, at least not unless you
already have database superuser (in which case you already have all the
privileges a database attack could gain for you). There are no
unprivileged functions to write a file in the server filesystem,
and certainly not any that will "chmod +x" it for you. So this
vulnerability does not represent a useful remote exploit AFAICS.
As a local exploit, on the other hand, it's pretty trivial :-(
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2005-01-25 22:47:53 | Re: 8.0.0 pg_restore -L doesn't restore ACLs |
| Previous Message | Tom Lane | 2005-01-25 17:18:38 | Re: BUG #1440: ecpg seg faults |