Attacker Value

Low

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

CVE-2019-9193

Disclosure Date: April 01, 2019 •

CVE-2019-9193

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Metasploit Module

PostgreSQL COPY FROM PROGRAM Command Execution

Description

In PostgreSQL 9.3 through 11.2, the “COPY TO/FROM PROGRAM” function allows superusers and users in the ‘pg_execute_server_program’ group to execute arbitrary code in the context of the database’s operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.

Add Assessment

pbarry-r7 (48)

November 21, 2019 11:16pm UTC (5 years ago)•Edited 4 years ago

Ratings

Attacker Value

Low

Exploitability

Very High

Technical Analysis

There’s some interesting debate around the couching of this as a vuln in PostgreSQL, itself, since the COPY TO/FROM PROGRAM is ostensibly documented to allow program execution. Certainly a good reminder to, in general, limit privs where possible (in this case, don’t grant ‘pg_execute_server_program’ to users who don’t require it).

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Unknown

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

postgresql

Products

postgresql

Metasploit Modules

PostgreSQL COPY FROM PROGRAM Command Execution (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/postgres/postgres_copy_from_program_cmd_exec.rb)

References

Canonical

CVE-2019-9193 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9193)

Advisory

https://security.netapp.com/advisory/ntap-20190502-0003

https://security.netapp.com/advisory/ntap-20190502-0003/

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

CVE-2019-9193 (https://github.com/geniuszlyy/CVE-2019-9193) (Added by AKB Worker)