Hi guys,
It appears that low privileged users can invoke the LOAD extension to load
arbitrary libraries into the postgres process space. On Windows systems
this is achieved by calling LoadLibrary
(src/backend/port/dynloader/win32.c). The effect of this is that DllMain
will be executed. Since LOAD takes an absolute path, UNC paths may be
used on Windows, thus a low privileged database user can load an arbitrary
library from an anonymous share they have set up, escalating to the
privileges of the database user. I am still investigating the impact on
Unix.
Cheers
John
(this vulnerability was born out of a discussion on #postgresql
between myself, lurka and dennisb).