PostgreSQL < 8.0.3 Multiple Vulnerabilities

2005-05-0500:00:00

www.tenable.com

According to its banner, the version of PostgreSQL installed on the remote host may suffer from the following vulnerabilities :

Character Conversion Vulnerability Unprivileged users can call functions supporting client- server character set conversion from SQL commands even though those functions do not validate their arguments.
tsearch2 Vulnerability If installed, the ‘contrib/tsearch2’ module permits users to at a minimum crash the backend because it misdeclares several functions as returning type ‘internal’ when in fact they do not have any ‘internal’ argument.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(18202);
  script_version("1.19");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2005-1409", "CVE-2005-1410");
  script_bugtraq_id(13475, 13476);

  script_name(english:"PostgreSQL < 8.0.3 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote database server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of PostgreSQL installed on the
remote host may suffer from the following vulnerabilities :

  - Character Conversion Vulnerability
    Unprivileged users can call functions supporting client-
    server character set conversion from SQL commands even
    though those functions do not validate their arguments.

  - tsearch2 Vulnerability
    If installed, the 'contrib/tsearch2' module permits
    users
    to at a minimum crash the backend because it misdeclares
    several functions as returning type 'internal' when in
    fact they do not have any 'internal' argument.");
  script_set_attribute(attribute:"see_also", value:"http://www.postgresql.org/about/news.315");
  # http://web.archive.org/web/20080820000033/http://developer.postgresql.org/docs/postgres/release-8-0-3.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7969c3a5");
  script_set_attribute(attribute:"solution", value:
"Implement the changes described in the PostgreSQL advisory or upgrade
to 8.0.3.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2005/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/05/05");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:postgresql:postgresql");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Databases");

  script_copyright(english:"This script is Copyright (C) 2005-2022 Tenable Network Security, Inc.");

  script_dependencies("postgresql_detect.nasl");
  script_require_ports("Services/postgresql", 5432);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

port = get_service(svc:"postgresql", default:5432, exit_on_fail:TRUE);


# Request the database 'template1' as the user 'postgres' or 'pgsql'.
zero = raw_string(0x00);
user[0] = "postgres";
user[1] = "pgsql";

for (i=0; i<2; i=i+1) {
  soc = open_sock_tcp(port);
  if (!soc) audit(AUDIT_PORT_CLOSED, port);

  usr = user[i];
  len = 224 - strlen(usr);
  req = raw_string(
          0x00, 0x00, 0x01, 0x28, 0x00, 0x02,
          0x00, 0x00, 0x74, 0x65, 0x6D, 0x70, 0x6C, 0x61,
          0x74, 0x65, 0x31
        ) +
        crap(data:zero, length:55) +
        usr +
        crap(data:zero, length:len);

  send(socket:soc, data:req);
  res = recv(socket:soc, length:5);
  res2 = recv(socket:soc, length:1024);
  if ((res[0]=="R") && (strlen(res2) == 10)) {
    req = raw_string(0x51) +
          "select version();" +
    	  raw_string(0x00);
    send(socket:soc, data:req);
    res = recv(socket:soc, length:65535);
    res = strstr(res, "PostgreSQL");

    if (res != NULL) {
      for (i=0; i<strlen(res); i++) {
        if (ord(res[i]) == 0) break;
      }
      res = substr(res, 0, i-1);
      # nb: the vulnerabilities affect 7.3.0 - 8.0.2.
      if (ereg(string:res, pattern:"PostgreSQL (7\.[34]|8\.0\.[0-2][^0-9])")){
     	security_warning(port);
      }
    }
    else if ("ERROR: function version()" >< res && report_paranoia > 1) security_warning(port);
    exit(0);
  }
}

VendorProductVersionCPE
postgresqlpostgresqlcpe:/a:postgresql:postgresql

Vendor	Product	Version	CPE
postgresql	postgresql		cpe:/a:postgresql:postgresql

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1409

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1410

www.nessus.org/u?7969c3a5

www.postgresql.org/about/news.315

JSON

Related for POSTGRESQL_CHARSET_AND_TSEARCH2.NASL