Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protocol Message Length Overflow Vulnerability #711

Closed
markmeeus opened this issue Oct 23, 2024 · 1 comment
Closed

Protocol Message Length Overflow Vulnerability #711

markmeeus opened this issue Oct 23, 2024 · 1 comment
Labels
Kind:Bug

Comments

@markmeeus
Copy link
Contributor

Elixir version

Any

Database and Version

Any

Postgrex Version

Any

Current behavior

Referencing this research:
https://www.youtube.com/watch?v=Tfg1B8u1yvE

There is a possible vulnerability in clients that do not check the length of bytes before encoding the 4 length bytes in the postgres binary protocol.
This way, when a user sends data > 2^32, the 4 length bytes will overflow and allow an attacker to smuggle an extra message.
This extra message can be any valid postgres statement, and may result in serious security issues.

I checked the Postgrex code and it looks like the vulnerability might be here as well:

I found this in /messages.ex

def encode_msg(msg) do
    {first, data} = encode(msg)
    size = IO.iodata_length(data) + 4
    if first do
      [first, <<size::int32()>>, data]
    else
      [<<size::int32()>>, data]
    end
end

<size:signed-32> will overflow, but the data is not trimmed.

Expected behavior

I would expect Postgrex to raise an exception.
@wojtekmach
Copy link
Member

Postgrex v0.19.2 is out, thank you for the report!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Kind:Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wojtekmach @markmeeus