lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200303121610.h2CGAAu6064428@mailserver2.hushmail.com>
Date: Wed, 12 Mar 2003 08:10:09 -0800
From: sir.mordred@...hmail.com
To: bugtraq@...urityfocus.com
Subject: @(#)Mordred Labs advisory - Remote DoS in PostgreSQL <= 7.2.2



-----BEGIN PGP SIGNED MESSAGE-----

//@(#) Mordred Labs advisory 0x0007

Release date: August 26, 2002
Name: Remote DoS condition in PostgreSQL
Versions affected: <= 7.2.2
Conditions: entry in a pg_hba.conf file that matches attacker's host.
Risk: average
Author: Sir Mordred (http://mslabs.iwebland.com)

I. Description:

PostgreSQL is an advanced object-relational database management system
that supports an extended subset of the SQL standard, including
transactions,
foreign keys, subqueries, triggers, user-defined types and functions.
Check http://www.postgresql.org for more information.


Upon connecting to a database, postmaster will fork a new process.
After that, a child process will call a
src/backend/postmaster/postmaster.c:DoBackend() routine,
which after processing a startup packet (see src/include/libpq/pqcomm.h),
will invoke a src/backend/libpq/auth.c:ClientAuthentication() routine to
perform client authentication.
If there is an entry in pg_hba.conf file, that matches an attacker's host,
an attacker could trigger
invocation of src/backend/libpq/auth.c:recv_and_check_password0(), which
fails to detect a DoS condition.

II. Details:
Consider this snip of code from src/backend/libpq/auth.c:

[snip]
static int recv_and_check_password0(Port *port) {
	int32 len;
	char *buf;

	if (pq_getint(&len, 4) == EOF)
		return STATUS_EOF;
	len -= 4;
	buf = palloc(len); /* len is taken from a packet */
[snip]

Note, that the size of palloced memory is taken from the user's input.


III. How to reproduce:

It's clear from the advisory how to reproduce this.

IV. Solution

Disable network access for untrusted users.


-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wmAEARECACAFAj5vXM4ZHHNpci5tb3JkcmVkQGh1c2htYWlsLmNvbQAKCRAOkXvN4BZr
fHUdAKCtv+xPETQZLluTxHWgfIIcbDprwwCgsOtI5Qjzf0P2EwCFtowTdD9HsC4=
=9INs
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ