ASA-2018-00050 – PostgreSQL: SQL injection via pg_upgrade and pg_dump


Allele Security Alert

ASA-2018-00050

Identifier(s)

ASA-2018-00050, CVE-2018-16850

Title

SQL injection via pg_upgrade and pg_dump

Vendor(s)

PostgreSQL Global Development Group

Product(s)

PostgreSQL

Affected version(s)

PostgreSQL 10

PostgreSQL 11

Fixed version(s)

PostgreSQL 10.6

PostgreSQL 11.1

Proof of concept

Unknown

Description

Using a purpose-crafted trigger definition, an attacker can run arbitrary SQL statements with superuser privileges when a superuser runs pg_upgrade on the database or during a pg_dump dump/restore cycle. This attack requires a CREATE privilege on some non-temporary schema or a TRIGGER privilege on a table. This is exploitable in the default PostgreSQL configuration, where all users have CREATE privilege on public schema.

Since postgresql version 10, when creating a trigger you can specify a name to enable transition relations. This name, however, is not properly quoted when dumping the database, allowing to inject SQL code in the dump, which is later run by a superuser to restore the database.

Technical details

Unknown

Credits

Karl Czajkowski

Reference(s)

PostgreSQL 11.1, 10.6, 9.6.11, 9.5.15, 9.4.20, and 9.3.25 Released!
https://www.postgresql.org/about/news/1905/

Add missing quote_identifier calls for CREATE TRIGGER … REFERENCING.
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=06292bb949e555f34edde7603237194a7daac942

Security: CVE-2018-16850
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=2da33cbd52aaf5cbc4bc6c4e42e8879ee75a859d

BUG #15440: pg_dump does not preserve quoted identifiers for statement-level trigger transition table names
https://www.postgresql.org/message-id/15440-02d1468e94d63d76@postgresql.org

CVE-2018-16850 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2018-16850

CVE-2018-16850
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16850

CVE-2018-16850
https://nvd.nist.gov/vuln/detail/CVE-2018-16850

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 1, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.