Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Header And Logo
|
Site Navigation
Privilege escalation via LOAD
- From: John Heasman <john(at)ngssoftware(dot)com>
- To: pgsql-bugs(at)postgresql(dot)org
- Cc: dl-advisories(at)ngssoftware(dot)com
- Subject: Privilege escalation via LOAD
- Date: Fri, 21 Jan 2005 11:08:44 -0800 (Pacific Standard Time)
- Message-id: <Pine.WNT.4.61.0501211049190.1264@j2> <text/plain>
Hi guys,It appears that low privileged users can invoke the LOAD extension to load arbitrary libraries into the postgres process space. On Windows systems this is achieved by calling LoadLibrary (src/backend/port/dynloader/win32.c). The effect of this is that DllMain will be executed. Since LOAD takes an absolute path, UNC paths may be used on Windows, thus a low privileged database user can load an arbitrary library from an anonymous share they have set up, escalating to the privileges of the database user. I am still investigating the impact on Unix.
Cheers John(this vulnerability was born out of a discussion on #postgresql between myself, lurka and dennisb).
- Follow-Ups:
- Re: Privilege escalation via LOAD
- From: Tom Lane
- Re: Privilege escalation via LOAD
- From: David Litchfield
- Re: Privilege escalation via LOAD
- Prev by Date: BUG #1428: SHGetSpecialFolderPath not found in SHELL32.dll
- Next by Date: Re: Problem with driver ODBC / VB
- Previous by thread: BUG #1428: SHGetSpecialFolderPath not found in SHELL32.dll
- Next by thread: Re: Privilege escalation via LOAD
- Indexes: