Vigil@nce: PostgreSQL, log file corruption
April 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An authenticated attacker can use queries containing a special
character, in order to corrupt PostgreSQL log files, so log
analysis tools cannot process them.
– Severity: 1/4
– Creation date: 31/03/2011
IMPACTED PRODUCTS
– OpenSUSE
– PostgreSQL
DESCRIPTION OF THE VULNERABILITY
Depending on systems, new lines use different characters:
– \n (0x0A) : Unix
– \r\n (0x0D 0x0A) : MS-DOS
– \r (0x0D) : Mac
The append_with_tabs() function of the src/backend/utils/error/elog.c
file inserts tabulations in entries containing line feeds. For
example, "a message\non two lines" is logged as:
a message\n
\ton two lines
However, the ’\r’ (0x0D) character is not processed. A line
containing this character is not split. For example, "a
message\ron two lines" is logged as:
a message\ron two lines
A log analysis tool will thus interpret "on two lines" as a new
entry, because this string does not start by a tabulation.
An authenticated attacker can therefore use queries containing a
special character, in order to corrupt PostgreSQL log files, so
log analysis tools cannot process them.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/PostgreSQL-log-file-corruption-10505