Обсуждение: Building PostgreSQL old version from source to test vulnerability CVE-2017-7546

Поиск
Список
Период
Сортировка

Building PostgreSQL old version from source to test vulnerability CVE-2017-7546

От
Julián Jiménez González
Дата:
Hello.

I'm trying to build a vulnerable PostgreSQL system in a Docker container in order to be able to exploit this vulnerability. I'm testing with a C# app which simply connects using a connstring through npgsql driver (this is one of the vulnerable drivers since it's not based on libpq):

string connstring = String.Format("Server={0};Port={1};" +
                    "User Id={2};Password={3};Database={4};PersistSecurityInfo=true",
                    //"10.5.0.73", "10005", "postgres", //Docker inside Linux Mint's VM with port mapped like "docker run -p 10005:5432 ..."
                    //"10.5.0.73", "5432", "postgres", //Linux Mint's VM
                    "10.5.0.163", "5432", "postgres", //Ubuntu server's VM
                    "", "postgres");

I've been able to exploit it in my Linux Mint VM building from this commit, which is the parent of the commit which introduces the fix for the vulnerability, but I couldn't do it either:

  1. Building from the same commit zip file in another VM (Ubuntu server).
  2. Using DockerHub's versions which are expected to be vulnerable (like 9.2.20, 9.6.3 and 9.6.2).
  3. With a custom Docker container based on debian:jessie (also tried with ubuntu:latest).

I've checked the ports I use are not conflicting with ports from another proccess in any of those systems:

sudo lsof -i -P -n | grep LISTEN

and I've checked they all have these configurations:

/usr/local/pgsql/data/pg_hba.conf: host all all all password (This is the last line, and I also tried with md5).

/usr/local/pgsql/data/postgresql.conf: listen_addresses = '*'

I'm actually completely sure I'm connecting to the postgres instance I expect, since the responses make complete sense when I adjust the config or shut down the instances, except for those with empty passwords which should log in successfully, but throw this exception instead:

No password has been provided but the backend requires one (in plaintext)

(Changing plaintext to md5 when I change pg_hba.conf's config).

It looks like the version I'm using is patched but it makes no sense why the hell I could exploit it in my Linux Mint VM and I can't in my Ubuntu Server VM, since I'm using the exact same commit. Regarding Docker official images, they are 7 and 9 months old, which is before 7th August (the day the patch came in), so I can't understand this either.

I need and would greatly appreciate any help tracking this problem down.

Thanks in advance.

logo_170x100px.png

Julián Jiménez González

Investigador - Desarrollador | Área de Servicios y Aplicaciones

Researcher - Developer | Services & Applications Department

Ph. (+34) 986 120 430  Ext. 3021
jjimenez@gradiant.org  |  www.gradiant.org

Iconos Redes Sociales GRD Firma email-01  Iconos Redes Sociales GRD Firma email-02  Iconos Redes Sociales GRD Firma email-03  Iconos Redes Sociales GRD Firma email-04

Take care of the environment. Try not to print this email.
The information contained in this email message may be confidential information, and may also be the subject of legal professional privilege. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. Please inform us immediately and destroy the email. Thank you for your cooperation.


Re: Building PostgreSQL old version from source to testvulnerability CVE-2017-7546

От
Christoph Berg
Дата:
Re: Julián Jiménez González 2018-02-21 <CAANxhjKZKWh-Rfdh=OvUPOmobKiSm54j9MdACeKOV=y_iiaHtw@mail.gmail.com>
> I need and would greatly appreciate any help tracking this problem down.

I'd try setting gdb breakpoints on the relevant code lines/functions.

If it helps, old Ubuntu packages are available there:
http://atalia.postgresql.org/morgue/
https://wiki.postgresql.org/wiki/Apt/FAQ#Where_are_older_versions_of_the_packages.3F

Christoph

Re: Building PostgreSQL old version from source to test vulnerability CVE-2017-7546

От
Julián Jiménez González
Дата:
Thanks for your answer Christoph. I've tried to do that but I can't debug it inside GDB. I configured like so:

CFLAGS="-O0 -g" ./configure --enable-debug

As I found suggested in a SO thread. Then made and installed, and when I launch gdb either like

gdb --args /usr/local/pgsql/bin/postgres -D /usr/local/pgsql/data

or starting it normally and then attaching GDB (having found the PID with a select pg_backend_pid() ):

gdb -p <PID>

I can't get to set a breakpoint in crypt.c, for example. It theoretically loaded debugging symbols, but I can't find the .c files inside the src/ from where I built Postgres. If I try to add them:

(gdb) add-symbol-file software/postgres_dec6e47/src/backend/libpq/crypt.c
The address where software/postgres_dec6e47/src/backend/libpq/crypt.c has been loaded is missing

I suspect this has something to do with postgres having to be launched with user postgres, while gdb not, besides installing it from my normal user and not postgres. When trying to build it with postgres user, it basically complains about it not being in sudoers.

On the other hand, I tried to set up logging and I did not get any further info.

Thanks.


logo_170x100px.png

Julián Jiménez González

Investigador - Desarrollador | Área de Servicios y Aplicaciones

Researcher - Developer | Services & Applications Department

Ph. (+34) 986 120 430  Ext. 3021
jjimenez@gradiant.org  |  www.gradiant.org

Iconos Redes Sociales GRD Firma email-01  Iconos Redes Sociales GRD Firma email-02  Iconos Redes Sociales GRD Firma email-03  Iconos Redes Sociales GRD Firma email-04

Take care of the environment. Try not to print this email.
The information contained in this email message may be confidential information, and may also be the subject of legal professional privilege. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. Please inform us immediately and destroy the email. Thank you for your cooperation.



2018-02-22 10:55 GMT+01:00 Christoph Berg <myon@debian.org>:
Re: Julián Jiménez González 2018-02-21 <CAANxhjKZKWh-Rfdh=OvUPOmobKiSm54j9MdACeKOV=y_iiaHtw@mail.gmail.com>
> I need and would greatly appreciate any help tracking this problem down.

I'd try setting gdb breakpoints on the relevant code lines/functions.

If it helps, old Ubuntu packages are available there:
http://atalia.postgresql.org/morgue/
https://wiki.postgresql.org/wiki/Apt/FAQ#Where_are_older_versions_of_the_packages.3F

Christoph