CVE-2024-27304: PostgreSQL PGX SQL Injection Via Integer Overflow

Hello all, in this post we will discuss an interesting security vulnerability tracked as CVE-2024-27304, a potential SQL injection issue existing in the PostgreSQL driver and toolkit for Go (called pgx).

Overview

PGX is a widely used PostgreSQL driver and toolkit for the Go programming language, popular for its simplicity and performance. Recently, a critical issue regarding SQL injection was found in the handling of single query or bind messages exceeding 4 GB in size due to integer overflow in the message size calculation. This vulnerability can potentially allow a remote attacker to execute arbitrary SQL queries or disrupt the application.

Original Reference: GitHub Advisory

Details

A vulnerable implementation in the library can be exploited if an attacker is able to create an input payload that makes a single query or bind message to exceed 4 GB in size. The problem arises due to an integer overflow while calculating the message size. As a result, the large message can be split into multiple messages, which can potentially fall under the attacker's control and lead to SQL injection attacks.

Here's a simplified example of the problematic code snippet in the pgx driver

package main

import (
	"fmt"
	"github.com/jackc/pgx"
)

func processInput(input string) {
	conn, _ := pgx.Connect(...)
	defer conn.Close()
	query := fmt.Sprintf("SELECT * FROM users WHERE username='%s'", input)
	rows, _ := conn.Query(query)
	...
}

Due to the way pgx driver calculates the message size, an attacker can craft an unusually large input string to exploit this vulnerability and achieve SQL injection.

Exploitation

An attacker can take advantage of this vulnerability by carefully crafting payloads to access confidential data, modify database structures, and even execute system commands. A successful exploitation can result in massive data breaches, unauthorized access, and potentially administrative privileges.

Solution

The maintainers of pgx have released the fixed versions of the library - v4.18.2 and v5.5.4. It is strongly recommended to update your pgx version to one of these fixed versions to mitigate this issue.

Link: Releases on GitHub

If an immediate version upgrade is not possible, you can employ a workaround by proactively rejecting user input large enough to cause a single query or bind message to exceed 4 GB in size. This can reduce the possibility of integer overflow and limit the behavior of the exploit.

Conclusion

CVE-2024-27304, a critical SQL injection vulnerability in the popular pgx library for Go, can lead to severe consequences if left unresolved. Special attention should be given to updating the vulnerable pgx versions, and implementing necessary input validation measures.

Ensure that your pgx installations are up-to-date, and always prioritize security when using open-source libraries.

Timeline

Published on: 03/06/2024 19:15:08 UTC
Last modified on: 03/06/2024 21:42:48 UTC