Hello.
I'm trying to build a vulnerable PostgreSQL system in a Docker container in
order to be able to exploit this vulnerability
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7546>. I'm testing
with a C# app which simply connects using a *connstring* through
*npgsql *driver
(this is one of the vulnerable drivers
<https://wiki.postgresql.org/wiki/List_of_drivers> since it's not based on
*libpq*):
string connstring = String.Format("Server={0};Port={1};" +
"User
Id={2};Password={3};Database={4};PersistSecurityInfo=true",
//"10.5.0.73", "10005", "postgres", //Docker inside
Linux Mint's VM with port mapped like "docker run -p 10005:5432 ..."
//"10.5.0.73", "5432", "postgres", //Linux Mint's VM
"10.5.0.163", "5432", "postgres", //Ubuntu server's VM
"", "postgres");
*I've been able to exploit it in my Linux Mint VM* building from this commit
<https://github.com/postgres/postgres/commit/dec6e4746d2f82abc4f611797df65be5329b2b57>,
which is the parent of the commit which introduces the fix
<https://github.com/postgres/postgres/commit/d5d46d99ba47f> for the
vulnerability, but I couldn't do it either:
1. Building from *the same commit* zip file in another VM (Ubuntu
server).
2. Using DockerHub <https://hub.docker.com/r/library/postgres/tags/>'s
versions *which are expected to be vulnerable* (like 9.2.20, 9.6.3 and
9.6.2).
3. With a custom Docker container based on *debian:jessie* (also tried
with ubuntu:latest).
I've checked the ports I use are not conflicting with ports from another
proccess in any of those systems:
sudo lsof -i -P -n | grep LISTEN
and I've checked they all have these configurations:
/usr/local/pgsql/data/*pg_hba.conf*: host all all all password (This
is the *last
line*, and I also tried with *md5*).
/usr/local/pgsql/data/*postgresql.conf*: listen_addresses = '*'
I'm actually completely sure I'm connecting to the postgres instance I
expect, since the responses make complete sense when I adjust the config or
shut down the instances, except for those with empty passwords which should
log in successfully, but throw this exception instead:
No password has been provided but the backend requires one (in plaintext)
(Changing plaintext to md5 when I change pg_hba.conf's config).
It looks like the version I'm using is patched but it makes no sense why
the hell I could exploit it in my Linux Mint VM and I can't in my Ubuntu
Server VM, since I'm using the *exact same commit*. Regarding Docker
official images, they are 7 and 9 months old, which is before 7th August
(the day the patch came in), so I can't understand this either.
I need and would greatly appreciate any help tracking this problem down.
Thanks in advance.
[image: logo_170x100px.png] <http://www.gradiant.org/>
Julián Jiménez González
Investigador - Desarrollador | Área de Servicios y Aplicaciones
Researcher - Developer | Services & Applications Department
Ph. (+34) 986 120 430 Ext. 3021
jjime...@gradiant.org | www.gradiant.org
[image: Iconos Redes Sociales GRD Firma email-01]
<https://es-es.facebook.com/GradiantCT/> [image: Iconos Redes Sociales GRD
Firma email-02] <https://twitter.com/Gradiant> [image: Iconos Redes
Sociales GRD Firma email-03] <https://www.linkedin.com/company-beta/769728>
[image: Iconos Redes Sociales GRD Firma email-04]
<https://www.youtube.com/user/ComunicacionGRD>
Take care of the environment. Try not to print this email.
The information contained in this email message may be confidential
information, and may also be the subject of legal professional privilege.
If you are not the intended recipient, any use, interference with,
disclosure or copying of this material is unauthorized and prohibited.
Please inform us immediately and destroy the email. Thank you for your
cooperation.
