Exploit the possiblities

PostgreSQL 10 Installer For Windows DLL Hijacking

PostgreSQL 10 Installer For Windows DLL Hijacking
Posted Oct 10, 2017
Authored by Stefan Kanthak

The PostgreSQL 10 installer for Windows suffers from a dll hijacking vulnerability.

tags | exploit
systems | windows
MD5 | f46c2b1ad8a1d5e4276cb73262711868

PostgreSQL 10 Installer For Windows DLL Hijacking

Change Mirror Download
Hi  @ll,

the executable installers of PostgreSQL 10 for Windows,
1. PostgreSQL-10.0-1-win64-bigsql.exe, available from
via <https://www.postgresql.org/download/windows/>,
2. postgresql-10.0-1-windows.exe and
postgresql-10.0-1-windows-x64.exe, available from
via <https://www.postgresql.org/download/windows/>,
are vulnerable and defective:


1.a) They load (on a fully patched Windows 7) the system DLLs
UXTheme.dll, SAMCli.dll, SchedCli.dll, LogonCli.dll and
CryptSP.dll from their "application directory" instead Windows'
"system directory" %SystemRoot%\System32\, resulting in arbitrary
code execution.

For software downloaded with a web browser the "application directory"
is typically the user's "Downloads" directory: see
<http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> plus
<http://seclists.org/fulldisclosure/2012/Aug/134> and

Also see <https://cwe.mitre.org/data/definitions/426.html>,
<https://capec.mitre.org/data/definitions/471.html> and

Thanks to the embedded application manifest which specifies
"requireAdministrator" the installers will be started with
administrative privileges ("protected" administrators are prompted
for consent, unprivileged standard users are prompted for an
administrator password), resulting in an escalation of privilege!

If (one of) the DLLs named above get(s) planted in the users
"Downloads" directory, for example per "drive-by download", this
vulnerability becomes a remote code execution WITH escalation of

Proof of concept:

1. Visit <https://skanthak.homepage.t-online.de/sentinel.html>,
and save it as UXTheme.dll in your "Downloads" directory, then
copy it as SAMCli.dll, SchedCli.dll, LogonCli.dll and CryptSP.dll;

2. Download the executable installers
and save them in your "Downloads" directory;

3. Start the downloaded installers; notice the message boxes
displayed from the "sentinels": PWNED!

1.b) They create about a dozen DLLs with names BR*.TMP
(as generated by Windows GetTempFileName() API, see
in the user's (unprotected) %TEMP% directory and loads them
during execution.

See <https://cwe.mitre.org/data/definitions/377.html> and
<https://cwe.mitre.org/data/definitions/379.html> for this
well-known and well-documented weakness.

An unprivileged attacker can modify these DLLs between their
creation and loading, for example using the following (trivial)
batch script, again resulting in arbitrary code execution with
escalation of privilege!

If Not Exist "%TEMP%\BR????.DLL" Goto :WAIT
For %%! In ("%TEMP%\BR????.DLL") Do Copy "%USERPROFILE%\Downloads\UXTheme.dll" "%%!"
--- EOF ---


2.a) they have INVALID PE (section) headers; Microsoft's DUMPBIN.EXE
aborts with "access violation" (see below) due to the INVALID
section name "/4"!

From the PE/COFF specification, available via

| Offset Size Field Description
| 0 8 Name An 8-byte, null-padded UTF-8 encoded string.
| If the string is exactly 8 characters long,
| there is no terminating null. For longer names,
| this field contains a slash (/) that is followed
| by an ASCII representation of a decimal number
| that is an offset into the string table.
| Executable images do not use a string table and do
| not support section names longer than 8 characters.
| Long names in object files are truncated if they
| are emitted to an executable file.

2.b) their IMPORT directory contains 2 IMAGE_IMPORT_DESCRIPTOR entries
for msvcrt.dll.

It should but have only 1 IMAGE_IMPORT_DESCRIPTOR per DLL!
See the PE/COFF specification:

| Import Directory Table
| The import directory table consists of an array of import directory
| entries, one entry for each DLL to which the image refers.


* Don't build executable installers, they are almost always vulnerable!

Create native installation packages for the respective OS instead.
For Windows these are .MSI or .INF with .CAB.

* Don't use executable installers!

* stay FAR away from PostgreSQL for Windows!

stay tuned
Stefan Kanthak


2017-02-17 vulnerability report sent to security@postgresql.org

2017-02-18 reply from vendor:
"the installers are built using Bitrock InstallBuilder
which generates the final executable that the user
downloads. I have therefore escalated this report to
Bitrock's support team, and as soon as they have a
solution will initiate a set of update releases for
affected packages."

2017-10-05 PostgreSQL releases version 10, again sporting this

Obviously both PostgreSQL and BitRock are unwilling,
unable or just too incompetent to provide installers
without well-known, trivial to detect and trivial to
exploit vulnerabilities.

2017-10-09 report published


C:\Users\Stefan\Downloads>link.exe /dump PostgreSQL-10.0-1-win64-bigsql.exe

Microsoft (R) COFF/PE Dumper Version 8.00.50727.762
Copyright (C) Microsoft Corporation. All rights reserved.

Dump of file PostgreSQL-10.0-1-win64-bigsql.exe


LINK : fatal error LNK1000: Internal error during DumpSections

Version 8.00.50727.762

ExceptionCode = C0000005
ExceptionFlags = 00000000
ExceptionAddress = 00427362 (00400000) "C:\Program Files\...\LINK.EXE"
NumberParameters = 00000002
ExceptionInformation[ 0] = 00000000
ExceptionInformation[ 1] = 00000004


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?

Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By