logo Home

Untitled Document

Home > Archives Advisories > Articles

Untitled Document
Untitled Document

Remote DoS in PostgreSQL
Date: 2003-03-13

Author : Sir Mordred (http://mslabs.iwebland.com) - sir.mordred@hushmail.com
Versions affected: <= 7.2.2
Conditions: entry in a pg_hba.conf file that matches attacker's host.
Risk: average

I. Description:

PostgreSQL is an advanced object-relational database management system
that supports an extended subset of the SQL standard, including
foreign keys, subqueries, triggers, user-defined types and functions.
Check http://www.postgresql.org for more information.

Upon connecting to a database, postmaster will fork a new process.
After that, a child process will call a
src/backend/postmaster/postmaster.c:DoBackend() routine,
which after processing a startup packet (see src/include/libpq/pqcomm.h),
will invoke a src/backend/libpq/auth.c:ClientAuthentication() routine to
perform client authentication.
If there is an entry in pg_hba.conf file, that matches an attacker's host,
an attacker could trigger
invocation of src/backend/libpq/auth.c:recv_and_check_password0(), which
fails to detect a DoS condition.

II. Details:
Consider this snip of code from src/backend/libpq/auth.c:

static int recv_and_check_password0(Port *port) {
int32 len;
char *buf;

if (pq_getint(&len, 4) == EOF)
return STATUS_EOF;
len -= 4;
buf = palloc(len); /* len is taken from a packet */

Note, that the size of palloced memory is taken from the user's input.

III. How to reproduce:

It's clear from the advisory how to reproduce this.

IV. Solution

Disable network access for untrusted users


arrowSearch Advisories


Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.


About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy