Building PostgreSQL old version from source to test vulnerability CVE-2017-7546

Поиск
Список
Период
Сортировка
От Julián Jiménez González
Тема Building PostgreSQL old version from source to test vulnerability CVE-2017-7546
Дата
Msg-id CAANxhjKZKWh-Rfdh=OvUPOmobKiSm54j9MdACeKOV=y_iiaHtw@mail.gmail.com
обсуждение исходный текст
Ответы Re: Building PostgreSQL old version from source to testvulnerability CVE-2017-7546  (Christoph Berg <myon@debian.org>)
Список pgsql-general
Дерево обсуждения
Hello.

I'm trying to build a vulnerable PostgreSQL system in a Docker container in order to be able to exploit this vulnerability. I'm testing with a C# app which simply connects using a connstring through npgsql driver (this is one of the vulnerable drivers since it's not based on libpq):

string connstring = String.Format("Server={0};Port={1};" +
                    "User Id={2};Password={3};Database={4};PersistSecurityInfo=true",
                    //"10.5.0.73", "10005", "postgres", //Docker inside Linux Mint's VM with port mapped like "docker run -p 10005:5432 ..."
                    //"10.5.0.73", "5432", "postgres", //Linux Mint's VM
                    "10.5.0.163", "5432", "postgres", //Ubuntu server's VM
                    "", "postgres");

I've been able to exploit it in my Linux Mint VM building from this commit, which is the parent of the commit which introduces the fix for the vulnerability, but I couldn't do it either:

  1. Building from the same commit zip file in another VM (Ubuntu server).
  2. Using DockerHub's versions which are expected to be vulnerable (like 9.2.20, 9.6.3 and 9.6.2).
  3. With a custom Docker container based on debian:jessie (also tried with ubuntu:latest).

I've checked the ports I use are not conflicting with ports from another proccess in any of those systems:

sudo lsof -i -P -n | grep LISTEN

and I've checked they all have these configurations:

/usr/local/pgsql/data/pg_hba.conf: host all all all password (This is the last line, and I also tried with md5).

/usr/local/pgsql/data/postgresql.conf: listen_addresses = '*'

I'm actually completely sure I'm connecting to the postgres instance I expect, since the responses make complete sense when I adjust the config or shut down the instances, except for those with empty passwords which should log in successfully, but throw this exception instead:

No password has been provided but the backend requires one (in plaintext)

(Changing plaintext to md5 when I change pg_hba.conf's config).

It looks like the version I'm using is patched but it makes no sense why the hell I could exploit it in my Linux Mint VM and I can't in my Ubuntu Server VM, since I'm using the exact same commit. Regarding Docker official images, they are 7 and 9 months old, which is before 7th August (the day the patch came in), so I can't understand this either.

I need and would greatly appreciate any help tracking this problem down.

Thanks in advance.

logo_170x100px.png

Julián Jiménez González

Investigador - Desarrollador | Área de Servicios y Aplicaciones

Researcher - Developer | Services & Applications Department

Ph. (+34) 986 120 430  Ext. 3021
jjimenez@gradiant.org  |  www.gradiant.org

Iconos Redes Sociales GRD Firma email-01  Iconos Redes Sociales GRD Firma email-02  Iconos Redes Sociales GRD Firma email-03  Iconos Redes Sociales GRD Firma email-04

Take care of the environment. Try not to print this email.
The information contained in this email message may be confidential information, and may also be the subject of legal professional privilege. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. Please inform us immediately and destroy the email. Thank you for your cooperation.


В списке pgsql-general по дате отправления:

Предыдущее
От: Martin Moore
Дата:
Сообщение: Re: Not sure if I should CREATE INDEX for text columns on which Iplan to filter later
Следующее
От: Ron Johnson
Дата:
Сообщение: Re: Installing 9.6.6 to a RHEL 6.7 server with no Internet access