CVE-2020-25695 Elevación de Privilegios en Postgresql

Este año está siendo una locura, espero que todos estéis bien y que el resto del año vaya mejor. Este es mi primer y probablemente único post del año (y el primero en español). Voy a hablar sobre una vulnerabilidad que hallé en Postgresql, y que afecta a todas las versiones desde la 9.5, y probablemente también, las versiones anteriores. La vulnerabilidad es similar a una “time-of-check to time-of-use (TOCTOU)” que también puede ser descrita como la falta de reinicio del estado antes de salir de una operación restringida....

December 15, 2020 · 13 min · 2690 words · Etienne Stalmans

CVE-2020-25695 Privilege Escalation in Postgresql

It has been quite a year, I hope everyone is well and staying safe. This is my first and probably only post for the year, and covers a fun privilege escalation vulnerability I found in Postgresql. This affects all supported versions of Postgresql going back to 9.5, it is likely it affects most earlier versions as well. The vulnerability is similar to a time-of-check to time-of-use (TOCTOU) issue, however in this case it relates to state not being fully cleared/reset before exiting a security restricted operation....

December 15, 2020 · 13 min · 2637 words · Etienne Stalmans

Go get -u CVE-2018-16873

Last year I stumbled across a vulnerability in Go’s go get command, which could lead to code execution when a malicious Go package was downloaded. I reported this to the Go team and it was subsequently assigned CVE-2018-16873. The actual vulnerability was really interesting since it was solely a logic vulnerability, where I abused the order in which packages were cloned by the go get command and how these would be laid out on disk. This makes it one of my personal favourite bugs. ...

March 28, 2019 · 12 min · 2464 words · Etienne Stalmans

CVE-2018-11235 git RCE

Remote code execution through malicious submodules.

June 3, 2018 · 13 min · 2758 words · Etienne Stalmans

CVE-2017-17405 RCE in Ruby's FTP lib

The FTP library in Ruby did not validate remote filenames and blindly passed these to the kernel.open function. This created a remotely exploitable vulnerability. Since the filenames were supplied by the remote FTP server, it was possible to create a malicious server that could exploit this vulnerability when a vulnerable Ruby client connected and tried to download a file. ...

June 1, 2018 · 1 min · 133 words · Etienne Stalmans