Python + PostgreSQL pgAdmin4 – Insecure Library Loading Allows Code Execution

fulldisclosure logo
Full Disclosure
mailing list archives

Python + PostgreSQL pgAdmin4 – Insecure Library Loading Allows Code Execution


From: Karn Ganeshen <karnganeshen () gmail com>

Date: Tue, 28 Feb 2017 19:43:52 +0000


Python + PostgreSQL pgAdmin4 – Insecure Library Loading Allows Code
Execution (DLL Hijacking Vulnerability)

*Confirmed on*
pgAdmin4 v1.1: Current version packaged with PostgreSQL v9.6.1.1 (Windows
x86 Current version)

*Checked on*
Windows 7 SP1 + python 2.7.13 (current version)

Note - This is a vulnerability in python, which gets manifested via
pgAdmin4. Other applications and softwares that use python, may as well be
vulnerable.

*Download*
http://www.enterprisedb.com/postgresql-961-installers-win32?ls=Crossover&type=Crossover

*Vulnerability / Exploitation Details*

This vulnerability can allow attackers to execute arbitrary code on
vulnerable installations of pgAdmin4 software. pgAdmin4 is a GUI
application for database server administration, and comes packaged with
PostgreSQL package.

User interaction is required to exploit this vulnerability in that the
malicious dll file(s) should be saved in any of the DLL search paths.

During the course of its operations, pgAdmin4 looks for specific DLLs.
These DLLs are missing from the default application install directory, the
application then looks for such dll’s in various locations including
directories listed in PATH variable, and therefore, this vulnerability
arises.

Case 1 – *uuid.dll*

By placing an arbitrary malicious DLL files named as uuid.dll, in any one
of the locations configured in PATH variable, an attacker is able to force
the process to load an arbitrary, malicious DLL. This allows an attacker to
execute arbitrary code in the context of the (privileged) Admin user, when
it is run.

Note 1: According to Dave from pgAdmin4 team –
In the case of uuid.dll, the one DLL that fails to load entirely after
exhausting Window's search mechanism, there is also little we can do. The
search for this library is initiated entirely by the Python interpeter, not
by any of our code. *Any bug here is therefore a Python bug, not pgAdmin*.

Case 2 – *other dlls*

Multiple other dlls (system related IMO), are also missing from the install
directories, and looked for within the pgAdmin4 installation directories.

*Steps to reproduce*

Case 1 – uuid.dll:

1. Generate a dll payload
msfvenom –p windows/exec cmd=calc.exe –f dll –o uuid.dll

2. Place this dll in any directory defined in the PATH environment
variable, e.g.

C:\app-folder-RW\
Or
C:\Windows\

3. Start pgAdmin4.exe -> calc.exe

+++++

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

  By Date  
     
  By Thread  

Current thread:

  • Python + PostgreSQL pgAdmin4 – Insecure Library Loading Allows Code Execution Karn Ganeshen (Feb 28)

Source: Full Disclosure @ March 1, 2017 at 12:04AM

0
Share