The Schemaverse was hacked!

Well, that didn’t take long :) I wanted to leave the public database unpatched for a couple days to see how long it would take somebody to compromise it after the announcement of a serious vulnerability. About 24 hours after the release, this little file showed up in my /data directory. 

-bash-4.1$ ls -l
total 108
drwx------. 8 postgres postgres  4096 Oct  9 14:08 base
drwx------. 2 postgres postgres  4096 Apr  6 17:30 global
drwx------. 2 postgres postgres  4096 Apr  5 16:25 pg_clog
-rw-------. 1 postgres postgres  3982 Oct 29 11:10 pg_hba.conf
-rw-------. 1 postgres postgres  1636 Oct  9 10:10 pg_ident.conf
drwx------. 2 postgres postgres  4096 Oct 15 00:00 pg_log
drwx------. 4 postgres postgres  4096 Oct  9 10:10 pg_multixact
drwx------. 2 postgres postgres  4096 Apr  6 17:30 pg_notify
drwx------. 2 postgres postgres  4096 Oct  9 10:10 pg_serial
drwx------. 2 postgres postgres  4096 Oct  9 10:10 pg_snapshots
drwx------. 2 postgres postgres  4096 Apr  6 17:30 pg_stat_tmp
drwx------. 2 postgres postgres  4096 Apr  6 15:50 pg_subtrans
drwx------. 2 postgres postgres  4096 Oct  9 10:10 pg_tblspc
drwx------. 2 postgres postgres  4096 Oct  9 10:10 pg_twophase
-rw-------. 1 postgres postgres     4 Oct  9 10:10 PG_VERSION
drwx------. 3 postgres postgres  4096 Apr  6 17:26 pg_xlog
-rw-------. 1 postgres postgres 19660 Apr  4 08:59 postgresql.conf
-rw-------. 1 postgres postgres    71 Apr  4 08:59 postmaster.opts
-rw-------. 1 postgres postgres    72 Apr  4 08:59 postmaster.pid
-rw-------. 1 postgres postgres   535 Apr  5 05:33 SECURITY_RISK_PLEASE_UPGRADE_TO_9.2.4_NOW
-bash-4.1$ cat SECURITY_RISK_PLEASE_UPGRADE_TO_9.2.4_NOW 
?otFATAL:  no pg_hba.conf entry for host "***", user "***", database "-rSECURITY_RISK_PLEASE_UPGRADE_TO_9.2.4_NOW", SSL on
DETAIL:  Client IP address resolved to "c-***", forward lookup not checked.
?otFATAL: no pg_hba.conf entry for host "***", user "***", database "-rSECURITY_RISK_PLEASE_UPGRADE_TO_9.2.4_NOW", SSL off
DETAIL: Client IP address resolved to "c-***", forward lookup not checked.
-bash-4.1$

This kind ‘attacker’ could have easily destroyed the entire database. Instead, they just wrote me a nice note on my file system.

Now, as a good security professional, I get to rebuild a server. 

Please, please, please take this as a warning for anybody else currently running anything less than PostgreSQL 9.2.4, 9.1.9, 9.0.13 or 8.4.17. Vulnerability CVE-2013-1899 is serious and needs to be addressed immediately. Hiding behind a firewall will make this far less of a threat but please don’t rely on that, just patch your damn box!

For more details on the security release that resolves this issue, follow these links and get your servers patched!

http://www.postgresql.org/about/news/1456/

http://www.postgresql.org/support/security/faq/2013-04-04/

http://www.postgresql.org/download/

  1. jarheadsmogcomplex reblogged this from schemaverse and added:
    The hacker was very Stallmanesque. “SECURITY_RISK_PLEASE_UPGRADE_TO_9.2.4_NOW” haha I like to think these are always the...
  2. jogurtring reblogged this from schemaverse
  3. schemaverse posted this