Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2009-2022 Tenable Network Security, Inc.POSTGRESQL_LDAP_AUTH_BYPASS.NASL
HistorySep 11, 2009 - 12:00 a.m.

PostgreSQL LDAP Anonymous Bind Authentication Bypass

2009-09-1100:00:00
This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.
www.tenable.com
226

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.014

Percentile

86.6%

JSON

The version of PostgreSQL running on the remote host has an authentication bypass vulnerability. If PostgreSQL is using LDAP authentication, and the LDAP server is configured to allow anonymous binds, it may be possible to log into the PostgreSQL server using a blank password. A remote attacker could exploit this to gain access to the database server, possibly as an administrator.

There are reportedly other vulnerabilities in this version of PostgreSQL, though Nessus has not checked for those issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(40947);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2009-3231");
  script_bugtraq_id(36314);
  script_xref(name:"SECUNIA", value:"36660");

  script_name(english:"PostgreSQL LDAP Anonymous Bind Authentication Bypass");

  script_set_attribute(attribute:"synopsis", value:
"The database service running on the remote host has an authentication
bypass vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of PostgreSQL running on the remote host has an
authentication bypass vulnerability. If PostgreSQL is using LDAP
authentication, and the LDAP server is configured to allow anonymous
binds, it may be possible to log into the PostgreSQL server using a
blank password. A remote attacker could exploit this to gain access to
the database server, possibly as an administrator.

There are reportedly other vulnerabilities in this version of
PostgreSQL, though Nessus has not checked for those issues.");
  script_set_attribute(attribute:"see_also", value:"http://www.postgresql.org/about/news.1135");
  script_set_attribute(attribute:"see_also", value:"https://www.postgresql.org/support/security/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to PostgreSQL 8.2.14 / 8.3.8 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(287);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/09/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/09/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/11");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:postgresql:postgresql");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Databases");

  script_copyright(english:"This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.");

  script_dependencies("postgresql_detect.nasl");
  script_require_ports("Services/postgresql", 5432);

  exit(0);
}


include("byte_func.inc");
include("global_settings.inc");
include("misc_func.inc");


function login(port, user, pass)
{
  local_var soc, req, reqlen, data, reslen, res;

  set_byte_order(BYTE_ORDER_BIG_ENDIAN);
  soc = open_sock_tcp(port);
  if (!soc) exit(1, "Unable to create a socket.");

  # Send the initial login request
  req = string(
    mkword(0x03), mkword(0x00),
    "user", mkbyte(0),
      user, mkbyte(0),
    "database", mkbyte(0),
      unixtime(), mkbyte(0),
    "client_encoding", mkbyte(0),
      "UNICODE", mkbyte(0),
    "DateStyle", mkbyte(0),
      "ISO", mkbyte(0),
    mkbyte(0)
  );
  reqlen = strlen(req);
  data = mkdword(reqlen + 4) + req;
  send(socket:soc, data:data);
  res = recv(socket:soc, length:1, min:1);
  if (isnull(res)) exit(1, "The server failed to respond.");
  if (res[0] != "R") exit(1, "Unexpected response error (" + res[0] + ").");

  res += recv(socket:soc, length:4, min:4);
  if (strlen(res) < 5) exit(1, "Unable to get the length of the response.");

  reslen = getdword(blob:res, pos:1);
  if (reslen > 2048) exit(1, "Unexpected big response.");

  res += recv(socket:soc, length:reslen - 4);
  if (strlen(res) == 5) exit(1, "The server failed to respond.");

  # And send the password
  req = string(mkbyte(0x70), mkdword(strlen(pass) + 5), pass, mkbyte(0));
  send(socket:soc, data:req);
  res = recv(socket:soc, length:1024);
  if (isnull(res)) exit(1, "The server failed to respond.");
  close(soc);

  return res;
}


#
# Execution begins here
#

port = get_kb_item("Services/postgresql");
if (!port) port = 5432;
if (!get_tcp_port_state(port)) exit(1, "The port is not open.");

# If the system is vulnerable, auth will succeed for any username
user = SCRIPT_NAME;
pass = '';
auth_res = login(port:port, user:user, pass:pass);

# The first 9 bytes will tell us whether or not authentication succeeded
if (auth_res >= 9)
{
  resp_type = auth_res[0];
  resp_len = getdword(blob:auth_res, pos:1);
  auth_type = getdword(blob:auth_res, pos:5);

  if (resp_type == 'R' && resp_len == 8 && auth_type == 0)
    security_warning(port);
  else
    exit(0, "The host is not affected.");
}
else exit(1, "Unexpectedly short response received.");
VendorProductVersionCPE
postgresqlpostgresqlcpe:/a:postgresql:postgresql

Related

postgresql 1
veracode 1
cvelist 1
nvd 1
cve 1
ubuntucve 1
prion 1
nessus 14
openvas 21
securityvulns 2
debian 1
osv 1
ubuntu 1
redhat 1
gentoo 1
postgresql
postgresql
Vulnerability in core server (CVE-2009-3231)
2009-09-17 10:30:00
veracode
veracode
Authentication Bypass
2020-04-10 00:37:08
cvelist
cvelist
CVE-2009-3231
2009-09-17 10:00:00
nvd
nvd
CVE-2009-3231
2009-09-17 10:30:01
cve
cve
CVE-2009-3231
2009-09-17 10:30:01
ubuntucve
ubuntucve
CVE-2009-3231
2009-09-17 00:00:00
prion
prion
Authentication flaw
2009-09-17 10:30:00
nessus
nessus
SuSE9 Security Update : PostgreSQL (YOU Patch Number 12509)
2009-09-28 00:00:00
openSUSE Security Update : postgresql (postgresql-1322)
2009-09-29 00:00:00
SuSE 10 Security Update : PostgreSQL (ZYPP Patch Number 6535)
2010-10-11 00:00:00
openvas
openvas
SLES11: Security update for PostgreSQL
2009-10-11 00:00:00
SLES10: Security update for PostgreSQL
2009-10-13 00:00:00
SLES10: Security update for PostgreSQL
2009-10-13 00:00:00
securityvulns
securityvulns
PostgreSQL multiple security vulnerabilities
2009-09-22 00:00:00
[USN-834-1] PostgreSQL vulnerabilities
2009-09-22 00:00:00
debian
debian
[SECURITY] [DSA 1900-1] New PostgreSQL packages fix various problems
2009-10-02 19:09:39
osv
osv
postgresql-7.4 postgresql-8.1 postgresql-8.3 - various problems
2009-10-02 00:00:00
ubuntu
ubuntu
PostgreSQL vulnerabilities
2009-09-21 00:00:00
redhat
redhat
(RHSA-2009:1461) Important: Red Hat Application Stack v2.4 security and enhancement update
2009-09-23 00:00:00
gentoo
gentoo
PostgreSQL: Multiple vulnerabilities
2011-10-25 00:00:00

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.014

Percentile

86.6%

JSON
Related for POSTGRESQL_LDAP_AUTH_BYPASS.NASL
postgresql1veracode1cvelist1nvd1cve1ubuntucve1prion1nessus14openvas21securityvulns2debian1osv1ubuntu1redhat1gentoo1