exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PostgreSQL JDBC Driver 8.1 SQL Injection

PostgreSQL JDBC Driver 8.1 SQL Injection
Posted Mar 27, 2012
Authored by Steffen Dettmer

When using PostgreSQL JDBC driver version 8.1 to connect to a PostgreSQL version 9.1 database, escaping of JDBC statement parameters does not work and SQL injection attacks are possible.

tags | advisory, sql injection
SHA-256 | 1745a36b3e8e23890664179075c87cf4ff3302fde57710cdcfc3479a3344c65a

PostgreSQL JDBC Driver 8.1 SQL Injection

Change Mirror Download
Hi,

when using PostgreSQL JDBC driver version 8.1 to connect to a PostgreSQL
version 9.1 database, escaping of JDBC statement parameters does
not work and SQL injection attacks are possible.

The problem can be reproduced for example with version 8.1-415
(released 2010-05-11), which still can be downloaded from the
official download location (although in `Archived Section'),
however this version is included in Linux distributions that are
still supported (for example SuSE Linux Enterprise Edition with
long-term support).

Connecting Java applications from such a server to a recent
PostgreSQL database, SQL injection attacks are possible.

Java Web Applications using JDBC running on such Linux versions
could allow to exploit this remotely, for example through a web app.



Vendor reponse (from <security@postgresql.org>):

> Anything not identified there as current or supported is, by
> reasonable inference, neither. Reporting a security bug
> against anything that's not current or supported is pointless.

However, such unsupported driver versions are included in
supported Linux distributions.

Since I think it is possible to accidentally use older (but still
supported) Linux application servers against recent databases, I
think a public information could be of interest.



Possible fix or workaround:

Do not use PostgreSQL JDBC driver version 8.1 but upgrade to most
recent version. If the distribution offers no suited package
(RPM), driver should be downloaded from jdbc.postgresql.org and
installed manually. This breaks package management consitency but
seems to be the smaller issue.



How to reproduce:

When the small code Postgres.java (attached) is compiled and
runned with Java 1.7 and the Postgres 8.1 JDBC3 driver against a
Postgres 9.1 database:

$ java -cp postgresql-8.1-415.jdbc3.jar:. Postgres

the following Exception occures:

Exception in thread "main" org.postgresql.util.PSQLException:
ERROR: syntax error at or near "(" at character 134

The driver can be downloaded under

http://jdbc.postgresql.org/download/postgresql-8.1-415.jdbc3.jar

In the "Archived Versions"-section of http://jdbc.postgresql.org/download.html.

(They are supported anymore, but there is no hint that
downloading and using them in our point of view opens a security
treat, so we think this is not good)

When the application is run with the Postgres 9.1 JDBC3 driver,
it behaves correctly.

We think it is likely that JDBC drivers with 8.1-x are still used
productively, for example SuSE Linux Enterprise Edition with
long-term support and we are not aware of some security bulletin
telling that an upgrade is recommended for security reasons,
since there might be not much interest in changing running
systems without need.

Regards,
Steffen Dettmer




------------------------------------------------------------------->8=======
* Steffen Dettmer wrote on Mon, Feb 27, 2012 at 17:36 +0100:
> Hi,
>
> we think we have found an escaping problem in JDBC driver 8.1 allowing
> SQL injection attacks when connecting to PostgreSQL 9.1 . According to
> http://jdbc.postgresql.org/changes.html#version_8.1-415, this
> issue is not known (not fixed).
[...]
> Our software relys on correct parameter escaping when using a
> java.sql.PreparedStatement for "SELECT stored_procedure(?, ?) AS
> result" used with "statement.setString()" etc., which according to our
> understanding should be the usual and safe way to call stored
> procedures on PostgreSQL.
>
> We found that it fails with at least postgresql-8.1-407.jdbc3.jar
> from http://jdbc.postgresql.org/download.html and Postgres 9.1
> database.
>
> The exact case where it occured in production was the query:
>
> SELECT appendJobEvent(?, ?, ?, ?) AS result
>
> with parameters set via "setString(pos, value)". Parameter
> number 4 contained single quote characters, but they should be
> escaped and end up in the database literally.
>
> Instead, we get:
>
> ERROR: syntax error at or near "(" at character 163 (ERROR:
> syntax error at or near "(" at character 163)'
>
> we tested and got exactly the same error message when using the string
> directly (i.e. not via "?" and setString), which is expected.
>
> Connecting to an older database version (7.1) or updating the driver
> to postgresql-9.1-901.jdbc3.jar from
> http://jdbc.postgresql.org/download.html both make the same query
> with the same parameters work.
>
> Since our development environment unit tests check for a similar
> issue, it seems that when using the same version of JDBC driver and
> database (the normal configuration when having a test database on
> localhost), escaping probably works well in a probably wide range of
> versions, but not in at least this combination (8.1-407 JDBC driver to
> 9.1 DBMS).

--[ Postgres.java ]------------------------------------------------>8=======

// "Sascha BAER" <Sascha.BAER@ingenico.com> -- SFR-1315206
// SQL injection when connecting to PostgreSQL 9.1 with version 8.1 JDBC driver
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;

import java.util.Properties;

public class Postgres
{
public static void main(String[] args)
throws Exception
{
Properties connectionProps = new Properties();
// Load postgres Driver: this is needed for 8.1 Drivers.
Class jdbcDriver = Class.forName("org.postgresql.Driver");

connectionProps.put("user", "sfr1315206");
connectionProps.put("password", "secret");

// protocolVersion 2 is needed to trigger the problem.
connectionProps.put("protocolVersion", "2");

Connection conn = DriverManager.getConnection(
"jdbc:postgresql://pg9-test/test1315206",
connectionProps);

String hint = new String("com.ingenico.de.data.DataException: "
+ "(Bitmap 2: ( (Data exceeds format length!); "
+ "Producer f = `PropLLXPVar(19): null') (F1F2672191104016...)): "
+ "class com.ingenico.de.data.DataException (5): "
+ "[thrown in `consume()' at BitmapConsumer.java, line 84]");

PreparedStatement ps = conn.prepareStatement(
"SELECT foo(?) AS result");
ps.setString(1, hint);
ResultSet result = ps.executeQuery();

result.next();
System.out.println(result.getString(1));
}
}

// Configuration stuff for the emacs editor. Please don't remove
// Local Variables:
// tab-width: 4
// End:

// Modeline for VIM. Please don't remove.
// (Help: autoindent, expandtab, shiftwidth=4, tabstop=4, textwidth=75)
// vi: set ai et sw=4 ts=4 tw=75:
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close