Hi Sandeep > I think, you should change the subject line to "Unquoted service path > containing space is vulnerable and can be exploited on Windows" to get the > attention.. :) Thank you for advice! I'll try to post to pgsql-bugs again.
> BTW, in your case, the file "Program" should be an exe and not just any other > file to exploit this vulnerability. Right? Yes, "Program" is a simple file I made. Best Regards, Naoya > Hi Naoya > > I think, you should change the subject line to "Unquoted service path > containing space is vulnerable and can be exploited on Windows" to get the > attention.. :) > > BTW, in your case, the file "Program" should be an exe and not just any other > file to exploit this vulnerability. Right? > > > On Tue, Oct 29, 2013 at 11:34 AM, Naoya Anzai <anzai-na...@mxu.nes.nec.co.jp> > wrote: > > > Hi,Sandeep > > Thanks. > > Sorry, There was a mistake in what I said. > > I said > > > Not only "pg_ctl.exe" but "postgres.exe" also have the same > problem. > > but, to say it correctly, > > "postgres.exe" does not have the problem. > Source that contains the problem is only "pg_ctl.c". > > > > So, this is not an installer issue. Is this bug raised to the > PostgreSQL community? If yes, you should submit the patch there. > > YES, I had submitted there already,But nobody has responded me yet. > > > http://postgresql.1045698.n5.nabble.com/PostgreSQL-Service-on-Windows-does-not-start-td5774206.html > > Regards, > Naoya > > > > So, this is not an installer issue. Is this bug raised to the > PostgreSQL community? If yes, you should submit the patch there. > > > > > > On Tue, Oct 29, 2013 at 6:23 AM, Naoya Anzai > <anzai-na...@mxu.nes.nec.co.jp> wrote: > > > > > > Hi, Asif > > > > Thank you for providing my patch (pg_ctl.c.patch) to Sandeep on > my behalf. > > > > > > > Good finding. I have attached another version of patch > (pg_ctl.c_windows_vulnerability.patch) attached that has fewer lines of code > changes, can you please take a look ?. Thanks. > > > > > > I think your patch is not sufficient to fix. > > Not only "pg_ctl.exe" but "postgres.exe" also have the same > problem. > > Even if your patch is attached, > > A Path of "postgres.exe" passed to CreateRestrictedProcess is > not enclosed in quotation.(See pgwin32_ServiceMain at pg_ctl.c) > > > > So, processing enclosed in quotation should do in both > conditions. > > > > > > Regards, > > Naoya > > > > --- > > Naoya Anzai > > Engineering Department > > NEC Soft, Ltd. > > E-Mail: anzai-na...@mxu.nes.nec.co.jp > > --- > > > > > > > Hi Sandeep, > > > > > > PFA Naoya's patch (pg_ctl.c.patch). > > > > > > Hi Naoya, > > > > > > Good finding. I have attached another version of patch > (pg_ctl.c_windows_vulnerability.patch) attached that has fewer lines of code > changes, can you please take a look ?. Thanks. > > > > > > Best Regards, > > > Asif Naeem > > > > > > > > > On Mon, Oct 28, 2013 at 4:46 PM, Sandeep Thakkar > <sandeep.thak...@enterprisedb.com> wrote: > > > > > > > > > Hi Dave > > > > > > We register the service using pg_ctl. When I manually > executed the following on the command prompt, I saw that the service path of > the registered service did not have the pg_ctl.exe path in quotes. May be it > should be handled in the pg_ctl code. > > > > > > c:\Users\Sandeep Thakkar\Documents>"c:\Program > Files\PostgreSQL\9.3\bin\pg_ctl.e > > > xe" register -N "pg-9.3" -U "NT > AUTHORITY\NetworkService" -D "c:\Program Files\P > > > ostgreSQL\9.3\data" -w > > > > > > Naoya, I could not find your patch here. Can you > please share it again? > > > > > > > > > > > > On Mon, Oct 28, 2013 at 2:53 PM, Dave Page > <dp...@pgadmin.org> wrote: > > > > > > > > > Sandeep, can you look at this please? Thanks. > > > > > > On Mon, Oct 28, 2013 at 8:18 AM, Asif Naeem > <anaeem...@gmail.com> wrote: > > > > It is related to windows unquoted service > path vulnerability in the the > > > > installer that creates service path without > quotes that make service.exe to > > > > look for undesirable path for executable. > > > > > > > > postgresql-9.3 service path : > C:/Users/asif/Desktop/Program > > > > files/9.3/bin/pg_ctl.exe runservice -N > "postgresql-9.3" -D > > > > "C:/Users/asif/Desktop/Program > files/9.3/data" -w > > > > > > > > service.exe > > > >> > > > >> C:\Users\asif\Desktop\Program NAME NOT > FOUND > > > >> C:\Users\asif\Desktop\Program.exe NAME > NOT FOUND > > > >> C:\Users\asif\Desktop\Program > files\9.3\bin\pg_ctl.exe ACCESS DENIED > > > >> C:\Users\asif\Desktop\Program > files\9.3\bin\pg_ctl.exe ACCESS DENIED > > > >> C:\Users\asif\Desktop\Program > files\9.3\bin\pg_ctl.exe runservice NAME > > > >> NOT FOUND > > > >> C:\Users\asif\Desktop\Program > files\9.3\bin\pg_ctl.exe runservice.exe > > > >> NAME NOT FOUND > > > >> C:\Users\asif\Desktop\Program > files\9.3\bin\pg_ctl.exe runservice -N > > > >> NAME NOT FOUND > > > >> C:\Users\asif\Desktop\Program > files\9.3\bin\pg_ctl.exe runservice -N.exe > > > >> NAME NOT FOUND > > > >> C:\Users\asif\Desktop\Program > files\9.3\bin\pg_ctl.exe runservice -N > > > >> "postgresql-9.3" NAME INVALID > > > >> C:\Users\asif\Desktop\Program > files\9.3\bin\pg_ctl.exe runservice -N > > > >> "postgresql-9.3".exe NAME INVALID > > > >> C:\Users\asif\Desktop\Program > files\9.3\bin\pg_ctl.exe runservice -N > > > >> "postgresql-9.3" -D NAME INVALID > > > >> C:\Users\asif\Desktop\Program > files\9.3\bin\pg_ctl.exe runservice -N > > > >> "postgresql-9.3" -D.exe NAME INVALID > > > >> C:\Users\asif\Desktop\Program > files\9.3\bin\pg_ctl.exe runservice -N > > > >> "postgresql-9.3" -D > "C:\Users\asif\Desktop\Program NAME INVALID > > > >> C:\Users\asif\Desktop\Program > files\9.3\bin\pg_ctl.exe runservice -N > > > >> "postgresql-9.3" -D > "C:\Users\asif\Desktop\Program.exe NAME INVALID > > > >> C:\Users\asif\Desktop\Program > files\9.3\bin\pg_ctl.exe runservice -N > > > >> "postgresql-9.3" -D > "C:\Users\asif\Desktop\Program files\9.3\data" NAME > > > >> INVALID > > > >> C:\Users\asif\Desktop\Program > files\9.3\bin\pg_ctl.exe runservice -N > > > >> "postgresql-9.3" -D > "C:\Users\asif\Desktop\Program files\9.3\data".exe > > > >> NAME INVALID > > > >> C:\Users\asif\Desktop\Program > files\9.3\bin\pg_ctl.exe runservice -N > > > >> "postgresql-9.3" -D > "C:\Users\asif\Desktop\Program files\9.3\data" -w > > > >> NAME INVALID > > > >> C:\Users\asif\Desktop\Program > files\9.3\bin\pg_ctl.exe runservice -N > > > >> "postgresql-9.3" -D > "C:\Users\asif\Desktop\Program files\9.3\data" -w.exe > > > >> NAME INVALID > > > > > > > > > > > > Fix : > > > > > > > > postgresql-9.3 service path : > "C:/Users/asif/Desktop/Program > > > > files/9.3/bin/pg_ctl.exe" runservice -N > "postgresql-9.3" -D > > > > "C:/Users/asif/Desktop/Program > files/9.3/data" -w > > > > > > > > It would be good if this is reported on pg > installer forum or security > > > > forum. Thanks. > > > > > > > > Regards, > > > > Asif Naeem > > > > > > > > On Mon, Oct 28, 2013 at 12:06 PM, Naoya Anzai > > > > <anzai-na...@mxu.nes.nec.co.jp> wrote: > > > >> > > > >> Hi, Asif. > > > >> > > > >> Thank you for response. > > > >> > > > >> > > > >> > C:\Users\asif\Desktop\Program > files\9.3>"bin\pg_ctl" -D > > > >> > "C:\Users\asif\Desktop\Program > files\9.3\data1" -l logfile start > > > >> > server starting > > > >> > > > >> This failure does not occur by the command > line. > > > >> PostgreSQL needs to start by Windows Service. > > > >> > > > >> Additionally,In this case, > > > >> A file "Program" needs to be exist at > "C:\Users\asif\Desktop\", and > > > >> "postgres.exe" needs to be exist at > "C:\Users\asif\Desktop\Program > > > >> files\9.3\bin". > > > >> ------------ > > > >> C:\Users\asif\Desktop\Program > files\9.3\bin>dir > > > >> ... > > > >> 4,435,456 postgres.exe > > > >> 80,896 pg_ctl.exe > > > >> ... > > > >> > > > >> C:\Users\asif\Desktopp>dir > > > >> ... > > > >> 0 Program > > > >> <DIR> Program files > > > >> ... > > > >> ------------ > > > >> > > > >> Regards, > > > >> Naoya > > > >> > > > >> > Hi Naoya, > > > >> > > > > >> > I am not able to reproduce the problem. Do > you mean pg windows service > > > >> > installed by installer is not working or > bin\pg_ctl binary is not accepting > > > >> > spaces in the patch ?. Following worked > for me i.e. > > > >> > > > > >> > > > > >> > C:\Users\asif\Desktop\Program > files\9.3>"bin\pg_ctl" -D > > > >> > "C:\Users\asif\Desktop\Program > files\9.3\data1" -l logfile start > > > >> > server starting > > > >> > > > > >> > > > > >> > Can you please share the exact steps ?. > Thanks. > > > >> > > > > >> > > > > >> > Regards, > > > >> > Muhammad Asif Naeem > > > >> > > > > >> > > > > >> > > > > >> > On Mon, Oct 28, 2013 at 10:26 AM, Naoya > Anzai > > > >> > <anzai-na...@mxu.nes.nec.co.jp> wrote: > > > >> > > > > >> > > > > >> > Hi All, > > > >> > > > > >> > I have found a case that PostgreSQL > Service does not start. > > > >> > When it happens, the following error > appears. > > > >> > > > > >> > "is not a valid Win32 application" > > > >> > > > > >> > This failure occurs when the > following conditions are true. > > > >> > > > > >> > 1. There is "postgres.exe" in any > directory that contains a space, > > > >> > such as "Program Files". > > > >> > > > > >> > e.g.) > > > >> > C:\Program > Files\PostgreSQL\bin\postgres.exe > > > >> > > > > >> > 2. A file using the first white > space-delimited > > > >> > tokens of that directory as the > file name exists, > > > >> > and there is it in the same > hierarchy. > > > >> > > > > >> > e.g.) > > > >> > C:\Program //file > > > >> > > > > >> > "pg_ctl.exe" as PostgreSQL Service > creates a postgres > > > >> > process using an absolute path which > indicates the > > > >> > location of "postgres.exe",but the > path is not enclosed > > > >> > in quotation. > > > >> > > > > >> > Therefore,if the above-mentioned > conditions are true, > > > >> > CreateProcessAsUser(a Windows > Function called by pg_ctl.exe) > > > >> > tries to create a process using the > other file such > > > >> > as "Program", so the service fails > to start. > > > >> > > > > >> > Accordingly, I think that the > command path should be > > > >> > enclosed in quotation. > > > >> > > > > >> > I created a patch to fix this > failure, > > > >> > So could anyone confirm? > > > >> > > > > >> > Regards, > > > >> > > > > >> > Naoya > > > >> > > > > >> > --- > > > >> > Naoya Anzai > > > >> > Engineering Department > > > >> > NEC Soft, Ltd. > > > >> > E-Mail: anzai-na...@mxu.nes.nec.co.jp > > > >> > --- > > > >> > > > > >> > > > > >> > -- > > > >> > Sent via pgsql-hackers mailing list > (pgsql-hackers@postgresql.org) > > > >> > To make changes to your subscription: > > > >> > > http://www.postgresql.org/mailpref/pgsql-hackers > > > >> > > > > >> > > > > >> > > > > >> > > > > >> >> > > > > > > > > > > > -- > > > Dave Page > > > Blog: http://pgsnake.blogspot.com > > > Twitter: @pgsnake > > > > > > EnterpriseDB UK: http://www.enterprisedb.com > > > The Enterprise PostgreSQL Company > > > > > > > > > > > > > > > > > > -- > > > > > > Sandeep Thakkar > > > Senior Software Engineer > > > > > > > > > > > Phone: +91.20.30589505 <tel:%2B91.20.30589505> > > > > > > > > Website: www.enterprisedb.com > > > EnterpriseDB Blog: http://blogs.enterprisedb.com/ > > > Follow us on Twitter: > http://www.twitter.com/enterprisedb > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Sandeep Thakkar > > Senior Software Engineer > > > <http://www.enterprisedb.com/sites/default/files/EDB-logo-4c.png> > > > > > Phone: +91.20.30589505 > > > > Website: www.enterprisedb.com > > EnterpriseDB Blog: http://blogs.enterprisedb.com/ > > Follow us on Twitter: http://www.twitter.com/enterprisedb > > > > > > > > > Regards, > > Naoya > > --- > Naoya Anzai > Engineering Department > NEC Soft, Ltd. > E-Mail: anzai-na...@mxu.nes.nec.co.jp > --- > > > > > > > > > -- > > Sandeep Thakkar > Senior Software Engineer > <http://www.enterprisedb.com/sites/default/files/EDB-logo-4c.png> > > Phone: +91.20.30589505 > > Website: www.enterprisedb.com > EnterpriseDB Blog: http://blogs.enterprisedb.com/ > Follow us on Twitter: http://www.twitter.com/enterprisedb > > This e-mail message (and any attachment) is intended for the use of the > individual or entity to whom it is addressed. This message contains > information from EnterpriseDB Corporation that may be privileged, > confidential, or exempt from disclosure under applicable law. If you are not > the intended recipient or authorized to receive this for the intended > recipient, any use, dissemination, distribution, retention, archiving, or > copying of this communication is strictly prohibited. If you have received > this e-mail in error, please notify the sender immediately by reply e-mail > and delete this message. > Regards, Naoya --- Naoya Anzai Engineering Department NEC Soft, Ltd. E-Mail: anzai-na...@mxu.nes.nec.co.jp --- -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers