Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Header And Logo
|
Site Navigation
Privilege escalation via LOAD
- From: John Heasman <john(at)ngssoftware(dot)com>
- To: pgsql-bugs(at)postgresql(dot)org
- Cc: dl-advisories(at)ngssoftware(dot)com
- Subject: Privilege escalation via LOAD
- Date: Fri, 21 Jan 2005 11:08:44 -0800 (Pacific Standard Time)
Hi guys,It appears that low privileged users can invoke the LOAD extension to load arbitrary libraries into the postgres process space. On Windows systems this is achieved by calling LoadLibrary (src/backend/port/dynloader/win32.c). The effect of this is that DllMain will be executed. Since LOAD takes an absolute path, UNC paths may be used on Windows, thus a low privileged database user can load an arbitrary library from an anonymous share they have set up, escalating to the privileges of the database user. I am still investigating the impact on Unix.
Cheers John(this vulnerability was born out of a discussion on #postgresql between myself, lurka and dennisb).
- Follow-Ups:
- Re: Privilege escalation via LOAD
- From: Tom Lane
- Re: Privilege escalation via LOAD
- From: David Litchfield
- Re: Privilege escalation via LOAD
- Prev by Date: BUG #1428: SHGetSpecialFolderPath not found in SHELL32.dll
- Next by Date: Re: Problem with driver ODBC / VB
- Previous by thread: BUG #1428: SHGetSpecialFolderPath not found in SHELL32.dll
- Next by thread: Re: Privilege escalation via LOAD
- Indexes: