February 28, 2017 Karn Ganeshen

PostgreSQL pgAdmin4 – Insecure Library Loading Allows Code Execution

Python + PostgreSQL pgAdmin4 – Insecure Library Loading Allows Code Execution (DLL Hijacking Vulnerability)


Confirmed on products
pgAdmin4 v1.1: Current version packaged with PostgreSQL v9.6.1.1 (Windows x86 Current version)

Tested on
Windows 7 SP1 + python 2.7.13 (current version)

Note – This is a vulnerability in python, which gets manifested via pgAdmin4. Other applications and softwares that use python, may as well be vulnerable.

Download
http://www.enterprisedb.com/postgresql-961-installers-win32?ls=Crossover&type=Crossover


Vulnerability / Exploitation Details

This vulnerability can allow attackers to execute arbitrary code on vulnerable installations of pgAdmin4 software. pgAdmin4 is a GUI application for database server administration, and comes packaged with PostgreSQL package.

User interaction is required to exploit this vulnerability in that the malicious dll file(s) should be saved in any of the DLL search paths.

The specific flaw exists within the handling of DLL file lookups by pgAdmin4 executable (pgAdmin4.exe).

To set the context, a Windows application looks in to the following locations, when a DLL file, is not found:

During the course of its operations, pgAdmin4 looks for specific DLLs. These DLLs are missing from the default application install directory, the application then looks for such dll’s in various locations including directories listed in PATH variable, and therefore, this vulnerability arises.

Case 1 – uuid.dll

It was observed that pgAdmin4 traverses the paths & locations based on Windows PATH environment variable to find & load a specific, missing DLL (uuid.dll). By placing an arbitrary malicious DLL files named as uuid.dll, in any one of the locations configured in PATH variable, an attacker is able to force the process to load an arbitrary, malicious DLL. This allows an attacker to execute arbitrary code in the context of the (privileged) Admin user, when it is run.

Note 1: According to Dave from pgAdmin4 team –

In the case of uuid.dll, the one DLL that fails to load entirely after exhausting Window’s search mechanism, there is also little we can do. The search for this library is initiated entirely by the Python interpeter, not by any of our code. Any bug here is therefore a Python bug, not pgAdmin.

PATH environment variable values can be identified by running – set PATH – on the Windows Command Terminal (cmd.exe).

For example, a sample output is:


 

When pgAdmin4.exe is run, it looks for this dll in the directories defined in PATH environment variable:

C:\app-folder-RW  -> malicious dll with same name is found & loaded/triggered

To exploit this vector, an authenticated, non-admin user will have to place a malicious DLL files in any one of the directories / locations defined in the Windows PATH environment variable.

Case 2 – other dlls

Multiple other dlls (system related IMO), are also missing from the install directories, and looked for within the pgAdmin4 installation directories.

Exploitation Vectors

To exploit this vulnerability, malicious DLL(s) will have to be placed in specific directories.

Typically,

  1. planting malicious DLLs in the install folder would be conducted through Social Engineering – sending email / IM / trust exploitation etc -, and/or drive-by download, targeting a privileged user.
  2. Any authenticated user can perform planting malicious DLLs in any writeable folder that is configured in the PATH variable.

The attacker initially will not have administrative privileges. Once the DLLs are placed in appropriate directories, and an admin / privileged user is runs the program, then privilege escalation and / or code execution will be achieved.

In both cases 1 & 2, vulnerable deployments can be exploited to perform arbitrary code execution and local privilege escalation.

Steps to reproduce

+++++

Cheers!

Tagged: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *