Skip site navigation (1) Skip section navigation (2)

Peripheral Links

Header And Logo

PostgreSQL
| The world's most advanced open source database.

Site Navigation

Search archives
  Advanced Search

Privilege escalation via LOAD


  • From: John Heasman <john(at)ngssoftware(dot)com>
  • To: pgsql-bugs(at)postgresql(dot)org
  • Cc: dl-advisories(at)ngssoftware(dot)com
  • Subject: Privilege escalation via LOAD
  • Date: Fri, 21 Jan 2005 11:08:44 -0800 (Pacific Standard Time)
  • Message-id: <Pine.WNT.4.61.0501211049190.1264@j2> <text/plain>

Hi guys,

It appears that low privileged users can invoke the LOAD extension to load arbitrary libraries into the postgres process space. On Windows systems this is achieved by calling LoadLibrary (src/backend/port/dynloader/win32.c). The effect of this is that DllMain will be executed. Since LOAD takes an absolute path, UNC paths may be used on Windows, thus a low privileged database user can load an arbitrary library from an anonymous share they have set up, escalating to the privileges of the database user. I am still investigating the impact on Unix.

Cheers

John

(this vulnerability was born out of a discussion on #postgresql between myself, lurka and dennisb).




Home | Main Index | Thread Index

Privacy Policy | PostgreSQL Archives hosted by Command Prompt, Inc. | Designed by tinysofa
Copyright © 1996 – 2008 PostgreSQL Global Development Group