Allele Security Alert
ASA-2018-00050
Identifier(s)
ASA-2018-00050, CVE-2018-16850
Title
SQL injection via pg_upgrade and pg_dump
Vendor(s)
PostgreSQL Global Development Group
Product(s)
PostgreSQL
Affected version(s)
PostgreSQL 10
PostgreSQL 11
Fixed version(s)
PostgreSQL 10.6
PostgreSQL 11.1
Proof of concept
Unknown
Description
Using a purpose-crafted trigger definition, an attacker can run arbitrary SQL statements with superuser privileges when a superuser runs pg_upgrade on the database or during a pg_dump dump/restore cycle. This attack requires a CREATE privilege on some non-temporary schema or a TRIGGER privilege on a table. This is exploitable in the default PostgreSQL configuration, where all users have CREATE privilege on public schema.
Since postgresql version 10, when creating a trigger you can specify a name to enable transition relations. This name, however, is not properly quoted when dumping the database, allowing to inject SQL code in the dump, which is later run by a superuser to restore the database.
Technical details
Unknown
Credits
Karl Czajkowski
Reference(s)
PostgreSQL 11.1, 10.6, 9.6.11, 9.5.15, 9.4.20, and 9.3.25 Released!
https://www.postgresql.org/about/news/1905/
Add missing quote_identifier calls for CREATE TRIGGER … REFERENCING.
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=06292bb949e555f34edde7603237194a7daac942
Security: CVE-2018-16850
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=2da33cbd52aaf5cbc4bc6c4e42e8879ee75a859d
BUG #15440: pg_dump does not preserve quoted identifiers for statement-level trigger transition table names
https://www.postgresql.org/message-id/15440-02d1468e94d63d76@postgresql.org
CVE-2018-16850 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2018-16850
CVE-2018-16850
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16850
CVE-2018-16850
https://nvd.nist.gov/vuln/detail/CVE-2018-16850
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 1, 2019