Oracle DB Worm Code Published

A recent article about an Oracle worm:
http://www.eweek.com/article2/0,1895,1880648,00.asp
got me wondering.
Could a worm like this infect a PostgreSQL installation?
It seems to depend on default usernames and passwords - and
lazy DBAs, IMO.
Isn't it true that PostgreSQL doesn't have any default user/password?

That's true. however, PostgreSQL ships by default with access mode set
to "trust", which means you don't *need* a password. And I bet you'll
find the user being either "postgres" or "pgsql" in 99+% of all
installations.

We do, however, ship with network access disabled by default. Which
means a worm can't get to it, until you enable that. But if you enable
network access, and don't change it from "trust" to something else (such
as md5), then you're wide open to this kind of entry.

(Just create an untrusted PL and hack away - assuming those binaries are
inthere, but I bet they are in most installations)

//Magnus

A recent article about an Oracle worm:
http://www.eweek.com/article2/0,1895,1880648,00.asp
got me wondering.
Could a worm like this infect a PostgreSQL installation?
It seems to depend on default usernames and passwords -
and lazy DBAs, IMO.
Isn't it true that PostgreSQL doesn't have any default user/password?
Is this an issue we should be concerned about, at some level?

PostgreSQL doesn't allow network access, by default, which more than
makes up for that.
--
"cbbrowne","@","cbbrowne.com"
http://cbbrowne.com/info/slony.html
"...Yet terrible as Unix addiction is, there are worse fates. If Unix
is the heroin of operating systems, then VMS is barbiturate addiction,
the Mac is MDMA, and MS-DOS is sniffing glue. (Windows is filling your
sinuses with lucite and letting it set.) You owe the Oracle a
twelve-step program." --The Usenet Oracle

Christopher Browne <cbbrowne@acm.org> writes:

A recent article about an Oracle worm:
http://www.eweek.com/article2/0,1895,1880648,00.asp
got me wondering.

PostgreSQL doesn't allow network access, by default, which more than
makes up for that.

You would have to both alter postgresql.conf (to make the postmaster
listen for anything except local connections) and alter pg_hba.conf
to let people in. Of course, if you were fool enough to set pg_hba.conf
to allow "trust" connections from the whole net, you'd have a door open
even wider than Oracle's. But I hope that's not common.

A worm can't be successful unless there's a fairly large population of
vulnerable machines. I am sure that there are *some* PG installations
out there that are wide open, but I doubt there are enough to make a
worm viable.

regards, tom lane

On 1/7/06, Magnus Hagander <mha@sollentuna.net> wrote:

A recent article about an Oracle worm:
http://www.eweek.com/article2/0,1895,1880648,00.asp
got me wondering.
Could a worm like this infect a PostgreSQL installation?
It seems to depend on default usernames and passwords - and
lazy DBAs, IMO.
Isn't it true that PostgreSQL doesn't have any default user/password?

That's true. however, PostgreSQL ships by default with access mode set
to "trust", which means you don't *need* a password. And I bet you'll
find the user being either "postgres" or "pgsql" in 99+% of all
installations.

We do, however, ship with network access disabled by default. Which
means a worm can't get to it, until you enable that. But if you enable
network access, and don't change it from "trust" to something else (such
as md5), then you're wide open to this kind of entry.

I don't think it's quite that easy. The default installs from SUSE
and other RPM I have done are set to ident sameuser for local
connections. Even if you turn on the -i flag, you can't get in
remotely since there is no pg_hba.conf record for the rest of the
world by default. You would have to add a record to pg_hba.conf.

PostgreSQL is remarkably secure out of the box compared to Brand X.