Bug 1498394 (CVE-2017-12172) - CVE-2017-12172 postgresql: Start scripts permit database administrator to modify root-owned files
Summary: CVE-2017-12172 postgresql: Start scripts permit database administrator to mod...
Status: CLOSED ERRATA
Alias: CVE-2017-12172
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20171109,repor...
Keywords: Security
Depends On: 1499345 1499346 1500060 1500061 1500062 1500063 1502019 1502020 1507555 1507556 1507558 1507559 1507561 1507562 1515999 1516000 1516001 1516002 1516003 1516007 1516008 1527968 1527969
Blocks: 1498401
TreeView+ depends on / blocked
 
Reported: 2017-10-04 08:41 UTC by Adam Mariš
Modified: 2019-06-08 22:23 UTC (History)
34 users (show)

(edit)
Privilege escalation flaws were found in the initialization scripts of PostgreSQL. An attacker with access to the postgres user account could use these flaws to obtain root access on the server machine.
Clone Of:
(edit)
Last Closed: 2017-12-08 03:05:41 UTC


Attachments (Terms of Use)
Upstream fix (for upstream-version of scripting) (2.90 KB, patch)
2017-10-23 22:25 UTC, Pavel Raiskup
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3402 normal SHIPPED_LIVE Moderate: postgresql security update 2017-12-08 07:40:39 UTC
Red Hat Product Errata RHSA-2017:3403 normal SHIPPED_LIVE Moderate: rh-postgresql94-postgresql security update 2017-12-08 07:41:17 UTC
Red Hat Product Errata RHSA-2017:3404 normal SHIPPED_LIVE Moderate: rh-postgresql95-postgresql security update 2017-12-08 07:58:03 UTC
Red Hat Product Errata RHSA-2017:3405 normal SHIPPED_LIVE Moderate: rh-postgresql96-postgresql security update 2017-12-08 07:58:26 UTC

Description Adam Mariš 2017-10-04 08:41:35 UTC
PostgreSQL runs under a non-root operating system account, and database superusers have effective ability to run arbitrary code under that system account. PostgreSQL provides a script for starting the database server during system boot. Packages of PostgreSQL for many operating systems provide their own, packager-authored startup implementations. Several implementations use a log file name that the database superuser can replace with a symbolic link. As root, the scripts redirect stdout and stderr content to the log file name. This often suffices for the database superuser to escalate to root privileges when root starts the server.

Supported, Vulnerable Versions: 9.2 - 10

Comment 1 Adam Mariš 2017-10-04 08:41:47 UTC
Acknowledgments:

Name: the PostgreSQL project
Upstream: Antoine Scemama (Brainloop)

Comment 11 Pavel Raiskup 2017-10-23 22:25 UTC
Created attachment 1342437 [details]
Upstream fix (for upstream-version of scripting)

Comment 27 Tomas Hoger 2017-11-08 16:12:40 UTC
The issue that was reported for the init script included with the upstream PosgreSQL sources is here:

https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=contrib/start-scripts/linux;h=763a8064#l95

su - $PGUSER -c "$DAEMON_ENV $DAEMON -D '$PGDATA' &" >>$PGLOG 2>&1

The problem is that redirection to / opening of the log file is done with the privileges of the user running the init script (i.e. root) and not as postgres user.  Hence postgres user can cause postmaster process output to be written to an arbitrary file via a $PGLOG link.


The same pattern in used in the "start" action of the init script as used in postgresql packages in Red Hat Enterprise Linux 6 and earlier.  It was also used in earlier Fedora versions prior to introduction of systemd:

http://pkgs.fedoraproject.org/cgit/rpms/postgresql.git/tree/postgresql.init?h=f7#n181

$SU -l postgres -c "$PGENGINE/postmaster -p '$PGPORT' -D '$PGDATA' ${PGOPTS} &" >> "$PGLOG" 2>&1 < /dev/null

Additionally, the similar pattern can also be found in the "initdb" action of the same init script:

http://pkgs.fedoraproject.org/cgit/rpms/postgresql.git/tree/postgresql.init?h=f7#n247

$SU -l postgres -c "$PGENGINE/initdb --pgdata='$PGDATA' --auth='ident sameuser'" >> "$PGLOG" 2>&1 < /dev/null


The init script as used in postgresql packages in Red Hat Software Collections for Red Hat Enterprise Linux 6 does not contain this pattern directly.  However, as part of its "start" action, it calls the run_cmd_as_dbadmin() function from the postgresql-setup.  This function does unsafe output redirection, even though the code looks somewhat different:

https://github.com/devexp-db/postgresql-setup/blob/v5.1/share/postgresql-setup/library.sh.in#L135-L137

test -n "$stdout" && exec >>"$stdout"
test -n "$stderr" && exec 2>>"$stderr"
$SU_POSTGRES -c "$cmd" < /dev/null


The postgresql packages for Red Hat Enterprise Linux 7 do not use init script to start the service, but rather use systemd service unit file.  This file does not contain this pattern, nor call the run_cmd_as_dbadmin() function.  Additionally, all commands executed by the service file are already started with the postgres user privileges, so there's no possibility of privilege escalation.


The postgresql packages in Red Hat Enterprise Linux 7 and Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7 also contain their own variant of the "initdb" instance of this problem.  The code is found in the postgresql-setup script:

https://github.com/devexp-db/postgresql-setup/blob/v5.1/postgresql-setup.in#L148

$SU_POSTGRES -c "$initdbcmd" >> "$initdb_log" 2>&1 < /dev/null

The code is reached when the script is executed with --initdb or --upgrade options.  On Red Hat Software Collections for Red Hat Enterprise Linux 6, the init script invokes the postgresql-setup with these options from the "inidb" and "upgrade" actions.


Note that the instances of the problem that are executed during the service start are more likely to be exploited, as "initdb" and "upgrade" actions are only used rarely - possibly only once before the specific PostgreSQL installation is first started and hence prior to giving database administrator privileges to any non-root user.

Comment 29 Pedro Yóssis Silva Barbosa 2017-11-10 15:44:27 UTC
External References:

https://www.postgresql.org/about/news/1801/

Comment 31 Kurt Seifried 2017-11-21 19:06:40 UTC
Created mingw-postgresql tracking bugs for this issue:

Affects: epel-7 [bug 1516000]
Affects: fedora-all [bug 1515999]


Created postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1516002]

Comment 34 Tomas Hoger 2017-11-22 15:47:00 UTC
Commit addressing this issue in postgresql-setup:

https://github.com/devexp-db/postgresql-setup/commit/86e6bb803775f889a3f100811b7038a3f4eb8519

Comment 35 errata-xmlrpc 2017-12-08 02:41:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:3402 https://access.redhat.com/errata/RHSA-2017:3402

Comment 36 errata-xmlrpc 2017-12-08 02:41:57 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2017:3403 https://access.redhat.com/errata/RHSA-2017:3403

Comment 37 errata-xmlrpc 2017-12-08 02:59:14 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2017:3404 https://access.redhat.com/errata/RHSA-2017:3404

Comment 38 errata-xmlrpc 2017-12-08 02:59:42 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2017:3405 https://access.redhat.com/errata/RHSA-2017:3405

Comment 39 Kurt Seifried 2017-12-18 22:05:03 UTC
Statement:

Red Hat Enterprise Linux 6 and Satellite 5 are now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.


Note You need to log in before you can comment on or make changes to this bug.