Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20250216161818.GA12372@openwall.com>
Date: Sun, 16 Feb 2025 17:18:18 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-1094: PostgreSQL: Quoting APIs miss neutralizing quoting syntax in text that fails encoding validation, enabling psql SQL injection

Hi,

As announced on February 13 in:

https://www.postgresql.org/about/news/postgresql-173-167-1511-1416-and-1319-released-3015/
https://www.postgresql.org/message-id/173945575457.197393.6175786842655230205%40wrigleys.postgresql.org

> The PostgreSQL Global Development Group has released an update to all supported
> versions of PostgreSQL, including 17.3, 16.7, 15.11, 14.16, and 13.19.
> This release fixes 1 security vulnerability and over 70 bugs reported over the
> last several months.
> 
> For the full list of changes, please review the
> [release notes](https://www.postgresql.org/docs/release/).
> 
> Security Issues
> ---------------
> 
> ### [CVE-2025-1094](https://www.postgresql.org/support/security/CVE-2025-1094/): PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation
> 
> CVSS v3.1 Base Score: [8.1](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
> 
> Supported, Vulnerable Versions: 13 - 17. 
> 
> Improper neutralization of quoting syntax in PostgreSQL [`libpq`](https://www.postgresql.org/docs/current/libpq.html)
> functions `PQescapeLiteral()`, `PQescapeIdentifier()`, `PQescapeString()`, and
> `PQescapeStringConn()` allows a database input provider to achieve SQL
> injection in certain usage patterns. Specifically, SQL injection requires the
> application to use the function result to construct input to psql, the
> PostgreSQL interactive terminal. Similarly, improper neutralization of quoting
> syntax in PostgreSQL command line utility programs allows a source of command
> line arguments to achieve SQL injection when [`client_encoding`](https://www.postgresql.org/docs/current/runtime-config-client.html#GUC-CLIENT-ENCODING)
> is `BIG5` and
> [`server_encoding`](https://www.postgresql.org/docs/current/runtime-config-preset.html#GUC-SERVER-ENCODING)
> is one of `EUC_TW` or `MULE_INTERNAL`. Versions before PostgreSQL 17.3, 16.7,
> 15.11, 14.16, and 13.19 are affected.
> 
> The PostgreSQL project thanks Stephen Fewer, Principal Security Researcher,
> Rapid7 for reporting this problem.

This vulnerability is related to BeyondTrust CVE-2024-12356:

https://infosec.exchange/@catc0n/113997298617317751

In Caitlin Condon's words in the thread above:

> New #Rapid7 vuln disclosure c/o @stephenfewer: CVE-2025-1094 is a SQL injection flaw in PostgreSQL's psql interactive tool that was discovered while analyzing BeyondTrust RS CVE-2024-12356. The bug is interesting - thread on its relation to BeyondTrust exploitation https://www.rapid7.com/blog/post/2025/02/13/cve-2025-1094-postgresql-psql-sql-injection-fixed/
> CVE-2025-1094: PostgreSQL psql SQL injection (FIXED) | Rapid7 Blog
> 
> CVE-2024-12356, as you may recall, is a zero-day bug that has garnered broad attention in recent weeks as a result of its link to a high-profile attack on the U.S. Treasury Department that was attributed to Chinese state-sponsored adversaries. https://www.nytimes.com/2024/12/30/us/politics/china-hack-treasury.html
> The Treasury Department said it had worked with the F.B.I., the intelligence community and other investigators to determine the impact of the breach.
> The New York Times б╥ Dec 30, 202
> China Hacked Treasury Dept. in 'Major' Breach, U.S. Says
> By Ana Swanson
> 
> In every scenario Rapid7 tested during analysis of BeyondTrust Remote Support CVE-2024-12356, a successful exploit for CVE-2024-12356 *had* to include exploitation of PostgreSQL CVE-2025-1094 in order to achieve remote code execution.
> 
> CVE-2024-12356 was patched in December 2024, and the patch successfully neutralized what we believe to be the original exploit chain (including CVE-2025-1094). So neither CVE-2024-12356 nor CVE-2025-1094 was exploitable in BeyondTrust RS post-patch.
> 
> The BeyondTrust patch for CVE-2024-12356 did not address the root cause of CVE-2025-1094 in PostgreSQL psql, however - so CVE-2025-1094 remained a zero-day vulnerability until it was reported to the PostgreSQL dev group and remediated in today's release. https://www.postgresql.org/support/security/CVE-2025-1094/
> PostgreSQL: CVE-2025-1094: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation
> 
> Finally, plot twist! @stephenfewer also discovered that before BeyondTrust's patch was released, it was possible to exploit CVE-2025-1094 against a vulnerable Remote Support target without leveraging CVE-2024-12356 at all.
> 
> CVE-2025-1094 affects all supported versions of PostgreSQL and is non-trivial to exploit. We wouldn't expect to see it exploited in PostgreSQL implementations more broadly (outside known-vulnerable BeyondTrust RS and PRA versions), given the complexity of the exploit pattern.
> 
> But with the above said, it's clear that the adversaries who perpetrated the December attack *really* knew the target technology, which is yet another example of an 0day exploit trend Rapid7 started tracking in 2023.
> 
> Full analysis of BeyondTrust PRA and RS CVE-2024-12356 in AttackerKB c/o @stephenfewer, and our sincere thanks to the PostgreSQL development group for their quick response and timely resolution. https://attackerkb.com/topics/G5s8ZWAbYH/cve-2024-12356/rapid7-analysis
> 
> One teeny tiny last semi-personal note - this is one of the most straightforward disclosure timelines we've been able to put in a CVD blog in a while, which is extra nice (and unfortunately not the norm in recent years) and also makes me extra grateful to the PostgreSQL dev group

The referenced Rapid7 blog post:

https://www.rapid7.com/blog/post/2025/02/13/cve-2025-1094-postgresql-psql-sql-injection-fixed/

> CVE-2025-1094: PostgreSQL psql SQL injection (FIXED)
> 
>     Feb 13, 2025 3 min read Stephen Fewer
> 
> Last updated at Fri, 14 Feb 2025 02:54:50 GMT
> 
> Rapid7 discovered a high-severity SQL injection vulnerability, CVE-2025-1094, affecting the PostgreSQL interactive tool psql. This discovery was made while Rapid7 was performing research into the recent exploitation of CVE-2024-12356 - an unauthenticated remote code execution (RCE) vulnerability that affects both BeyondTrust Privileged Remote Access (PRA) and BeyondTrust Remote Support (RS). Rapid7 discovered that in every scenario we tested, a successful exploit for CVE-2024-12356 had to include exploitation of CVE-2025-1094 in order to achieve remote code execution. While CVE-2024-12356 was patched by BeyondTrust in December 2024, and this patch successfully blocks exploitation of both CVE-2024-12356 and CVE-2025-1094, the patch did not address the root cause of CVE-2025-1094, which remained a zero-day until Rapid7 discovered and reported it to PostgreSQL.
> 
> All supported versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected. CVE-2025-1094 has a CVSS 3.1 base score of 8.1 (High). More information is available in the PostgreSQL advisory.
> Impact
> 
> CVE-2025-1094 arises from an incorrect assumption that when attacker-controlled untrusted input has been safely escaped via PostgreSQL's string escaping routines, it cannot be leveraged to generate a successful SQL injection attack. Rapid7 found that SQL injection is, in fact, still possible in a certain scenario when escaped untrusted input is included as part of a SQL statement executed by the interactive psql tool.
> 
> Because of how PostgreSQL string escaping routines handle invalid UTF-8 characters, in combination with how invalid byte sequences within the invalid UTF-8 characters are processed by psql, an attacker can leverage CVE-2025-1094 to generate a SQL injection.
> 
> An attacker who can generate a SQL injection via CVE-2025-1094 can then achieve arbitrary code execution (ACE) by leveraging the interactive tool's ability to run meta-commands. Meta-commands extend the interactive tools functionality, by providing a wide variety of additional operations that the interactive tool can perform. The meta-command, identified by the exclamation mark symbol, allows for an operating system shell command to be executed. An attacker can leverage CVE-2025-1094 to perform this meta-command, thus controlling the operating system shell command that is executed.
> 
> Alternatively, an attacker who can generate a SQL injection via CVE-2025-1094 can execute arbitrary attacker-controlled SQL statements.
> Credit
> 
> This vulnerability was discovered by Stephen Fewer, Principal Security Researcher at Rapid7 and is being disclosed in accordance with Rapid7's vulnerability disclosure policy.
> Analysis
> 
> A technical analysis of CVE-2025-1094, as it relates to the exploitation of the BeyondTrust vulnerability CVE-2024-12356, is available in AttackerKB.
> 
> A Metasploit exploit module that exploits CVE-2025-1094 against a vulnerable BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) target is available here.
> Vendor Statement
> 
>     The PostgreSQL Global Development Group provides information on security vulnerability reporting, releases processes, and known vulnerability fixes at https://www.postgresql.org/support/security/.
> 
> Remediation
> 
> To remediate CVE-2025-1094, PostgreSQL users should upgrade to PostgreSQL 17.3, 16.7, 15.11, 14.16, or 13.19. For additional details, please see the PostgreSQL advisory.
> Rapid7 customers
> 
> InsightVM and Nexpose customers can assess their exposure to CVE-2025-1094 with an authenticated vulnerability check available in today's (February 13) content release.
> 
> For CVE-2024-12356 affecting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products, InsightVM and Nexpose customers have been able to assess exposure with authenticated checks for Windows systems (Scan Engine only checks) as of the February 10, 2025 content release.
> Disclosure timeline
> 
>     January 27, 2025: Rapid7 makes initial contact with the PostgreSQL security team and discloses vulnerability details.
>     January 29, 2025: The PostgreSQL development group confirms the finding; Rapid7 and PostgreSQL developers agree on a coordinated disclosure date.
>     February 11, 2025: The PostgreSQL development group provides a CVE ID and affected versions.
>     February 13, 2025: This disclosure.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.