[snip]
Lest anyone think that this is a theoretical attack, PHPBB suffered an SQL injection last year that allowed to you to, in essence, learn the truth or falsity of a boolean condition (nothing more) because you could add conditions to the WHERE clause.The issue pointed out back then was that lots of hosts would have usernames with the same name, namely "postgres". So a distributed attack would be able to use a dictionary attack if it were targeting just the "postgres" user on many hosts.
That was deemed not a threat model worth worrying about. It's pretty unlikely
someone would have access to the md5sums for many different hosts.
I'm worried about them having access to the md5sums for my host.. If they did and I used 'md5' in pg_hba.conf they wouldn't need to brute force anything, they'd have all they needed to connect as the postgres users on my database.
If the application is connecting to the database as superuser, then the complete password can be read by testing each letter of the hash using substring and subselects in an expression. For example,
(SELECT substring(password, 1, 1) = 'F' FROM pg_shadow WHERE user='postgres')
tests if the first character of the password hash is an F.
By doing this, then the attacker can learn any user's password, even though he can't perform any inserts, updates, deletes, etc., and he can only extract data slowly.*
Of course, someone is asking to be 0wn3d if they set up PHPBB to connect as superuser. However, given the amount of work done to prevent foot-shooting in other areas (e.g., server refuses to run as root), it seems inconsistent that using md5 as the connection method opens the server to any attacker who knows the hashes.
Perhaps for 8.1 a new authentication method, say, "securemd5," ought to be created in which remedies this deficiency?
Regards, Paul Tillotson
*Interesting mental exercise: if all that your SQL injection allows is to add conditions to a WHERE clause evaluated as superuser, how does one execute arbitrary code? I can't think of how to do it offhand.
- You can't INSERT, UPDATE, DELETE, or perform any DDL (including creating new functions)
- You can't use COPY to overwrite local files.
- There aren't any built-in functions that write files, change tables, etc., are there?
Wouldn't you have to go for a buffer overflow in one of the built-in functions? That's considerably more difficult than simply connecting as superuser and using COPY to overwrite local files with arbitrary data.
---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
