Re: Privilege escalation via LOAD

"David Litchfield" <davidl@ngssoftware.com> writes:
> _init() is the equivalent of DllMain on Linux/etc; in fact the other
> database server I was looking at is vulnerable to this exact problem. If
> postgresql accepts CLOB/BLOB input from a client to a table and then can
> dump to disk you might be able to achieve it that way - which is how I did
> it on the other rdbms.

Just for the record, I don't believe there is any way to make Postgres
itself write out a shared library for you, at least not unless you
already have database superuser (in which case you already have all the
privileges a database attack could gain for you).  There are no
unprivileged functions to write a file in the server filesystem,
and certainly not any that will "chmod +x" it for you.  So this
vulnerability does not represent a useful remote exploit AFAICS.

As a local exploit, on the other hand, it's pretty trivial :-(

            regards, tom lane