Latest YouTube Video

Wednesday, March 1, 2017

[FD] Python + PostgreSQL pgAdmin4 – Insecure Library Loading Allows Code Execution

Python + PostgreSQL pgAdmin4 – Insecure Library Loading Allows Code Execution (DLL Hijacking Vulnerability) *Confirmed on* pgAdmin4 v1.1: Current version packaged with PostgreSQL v9.6.1.1 (Windows x86 Current version) *Checked on* Windows 7 SP1 + python 2.7.13 (current version) Note - This is a vulnerability in python, which gets manifested via pgAdmin4. Other applications and softwares that use python, may as well be vulnerable. *Download* http://ift.tt/2lxnMTr *Vulnerability / Exploitation Details* This vulnerability can allow attackers to execute arbitrary code on vulnerable installations of pgAdmin4 software. pgAdmin4 is a GUI application for database server administration, and comes packaged with PostgreSQL package. User interaction is required to exploit this vulnerability in that the malicious dll file(s) should be saved in any of the DLL search paths. During the course of its operations, pgAdmin4 looks for specific DLLs. These DLLs are missing from the default application install directory, the application then looks for such dll’s in various locations including directories listed in PATH variable, and therefore, this vulnerability arises. Case 1 – *uuid.dll* By placing an arbitrary malicious DLL files named as uuid.dll, in any one of the locations configured in PATH variable, an attacker is able to force the process to load an arbitrary, malicious DLL. This allows an attacker to execute arbitrary code in the context of the (privileged) Admin user, when it is run. Note 1: According to Dave from pgAdmin4 team – In the case of uuid.dll, the one DLL that fails to load entirely after exhausting Window's search mechanism, there is also little we can do. The search for this library is initiated entirely by the Python interpeter, not by any of our code. *Any bug here is therefore a Python bug, not pgAdmin*. Case 2 – *other dlls* Multiple other dlls (system related IMO), are also missing from the install directories, and looked for within the pgAdmin4 installation directories. *Steps to reproduce* Case 1 – uuid.dll: 1. Generate a dll payload msfvenom –p windows/exec cmd=calc.exe –f dll –o uuid.dll 2. Place this dll in any directory defined in the PATH environment variable, e.g. C:\app-folder-RW\ Or C:\Windows\ 3. Start pgAdmin4.exe -> calc.exe +++++

Source: Gmail -> IFTTT-> Blogger

No comments: