Обсуждение: @(#)Mordred Labs advisory 0x0006: Two minor DoS conditions in PostgreSQL

"..if someone has direct SQL access to your database, they can
already do more damage than what this vulnerability addresses.  Specifically
DROP TABLE is available to users with direct SQL command line access..."

That's true of course, but i really dont want to do any damage, i might
even don't want
to get noticed...

".. the cracker must be able to execute arbitrary SQL commands against the
database, 
and by that stage of the game, a DoS
attack is already trivial (e.g. disable GEQO and execute a 15 table join
query)..."

Hmm, sounds complex, why bother?. Thanks for the advice anyway :-)

//@(#) Mordred Labs advisory 0x0006

Release data: 26/08/02
Name: Two dumb DoS conditions in PostgreSQL
Versions affected: all versions
Risk: very low

---[ Description:

1) Upon invoking a substring(text, integer, integer) function, a
src/backend/utils/adt/varlena.c:text_substr()
function will gets called, which fails to detect a simple dos condition,
triggered by a very high third argument.
Multibyte support must be enabled for this attack to work.
The vulnerable encodings are: SQL_ASCII, LATIN1.
With others, you just will get SIGSEGV (not checked).

2) Upon invoking a bpchar(char, integer) function, a
src/backend/utils/adt/varchar.c:bpchar() function
will gets called, which suffers from a dos condition.

--[ How to reproduce:

template1=# select substring('xxxxxxxx',2,2147483647);      
template1=# select bpchar('x',100000000); 

--[ Solution

No one is available.


________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com/inf/en

Sir Mordred The Traitor <mordred@s-mail.com> writes:
> template1=# select substring('xxxxxxxx',2,2147483647);      

With CVS HEAD (with database encoding = SQL_ASCII and UNICODE), I get:

nconway=# select substring('xxxxxxxx',2,2147483647);
ERROR:  negative substring length not allowed

With REL7_2_STABLE, I get:

template1=# select substring('xxxxxxxx',2,2147483647);
ERROR:  MemoryContextAlloc: invalid request size 2147483651

> template1=# select bpchar('x',100000000); 

With both CVS HEAD and REL7_2_STABLE, I get:

template1=# select bpchar('x',100000000);
zsh: 7312 segmentation fault (core dumped)  ./psql template1

(note that it's the client, and not the backend, that crashes)

Although the backend does allocate a couple hundred megs of memory
while processing the query.

Although I haven't looked at the code yet, it's probably worth noting
that the two test cases posted above are not cut-and-dry DoS
opportunities, AFAICT -- however, the code may still be vulnerable.

Cheers,

Neil

-- 
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC