ASA-2019-00393 – PostgreSQL: Stack-based buffer overflow via setting a password

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00393

Identifier(s)

ASA-2019-00393, CVE-2019-10164

Title

Stack-based buffer overflow via setting a password

Vendor(s)

The PostgreSQL Project

Product(s)

PostgreSQL

Affected version(s)

PostgreSQL version 10.x before 10.9
PostgreSQL version 11.x before 11.4
PostgreSQL version 12 beta before 12 beta 2

The vulnerability has been introduced at the following commit:

Change the on-disk format of SCRAM verifiers to conform to RFC 5803.
https://github.com/postgres/postgres/commit/68e61ee72eb6914f493f08be98363c2f980ee242

Fixed version(s)

PostgreSQL version 11.4
PostgreSQL version 10.9
PostgreSQL version 12 beta 2

Proof of concept

Unknown

Description

An authenticated user could create a stack-based buffer overflow by changing their own password to a purpose-crafted value. In addition to the ability to crash the PostgreSQL server, this could be further exploited to execute arbitrary code as the PostgreSQL operating system account.

Additionally, a rogue server could send a specifically crafted message during the SCRAM authentication process and cause a libpq-enabled client to either crash or execute arbitrary code as the client’s operating system account.

Technical details

Unknown

Credits

Alexander Lakhin

Reference(s)

PostgreSQL 11.4, 10.9, 9.6.14, 9.5.18, 9.4.23, and 12 Beta 2 Released!
https://www.postgresql.org/about/news/1949/

Fix buffer overflow when processing SCRAM final message in libpq
https://github.com/postgres/postgres/commit/b67421178880f9df337dc19b8601b54b99efbc78

Fix buffer overflow when parsing SCRAM verifiers in backend
https://github.com/postgres/postgres/commit/09ec55b933091cb5b0af99978718cb3d289c71b6

Change the on-disk format of SCRAM verifiers to conform to RFC 5803.
https://github.com/postgres/postgres/commit/68e61ee72eb6914f493f08be98363c2f980ee242

Fix detection of passwords hashed with MD5 or SCRAM-SHA-256
https://github.com/postgres/postgres/commit/ccae190b916f27fbe4079ee4664d34cd1be47b79

CVE-2019-10164
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10164

CVE-2019-10164
https://nvd.nist.gov/vuln/detail/CVE-2019-10164

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 29, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.