Vulnerabilities > CVE-2013-1902 - Insecure Temporary File Creation vulnerability in PostgreSQL

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
postgresql
critical
nessus

Summary

PostgreSQL, 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before 8.3.23 generates insecure temporary files with predictable filenames, which has unspecified impact and attack vectors related to "graphical installers for Linux and Mac OS X."

Vulnerable Configurations

Part Description Count
Application
Postgresql
66

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2013-004.NASL
    descriptionThe remote host is running a version of Mac OS X 10.6 or 10.7 that does not have Security Update 2013-004 applied. This update contains several security-related fixes for the following component : - Apache - Bind - Certificate Trust Policy - ClamAV - Installer - IPSec - Mobile Device Management - OpenSSL - PHP - PostgreSQL - QuickTime - sudo Note that successful exploitation of the most serious issues could result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id69878
    published2013-09-13
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/69878
    titleMac OS X Multiple Vulnerabilities (Security Update 2013-004)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(69878);
      script_version("1.18");
      script_cvs_date("Date: 2018/07/14  1:59:36");
    
      script_cve_id(
        "CVE-2012-0883",
        "CVE-2012-2686",
        "CVE-2012-2687",
        "CVE-2012-3499",
        "CVE-2012-3817",
        "CVE-2012-4244",
        "CVE-2012-4558",
        "CVE-2012-5166",
        "CVE-2012-5688",
        "CVE-2013-0166",
        "CVE-2013-0169",
        "CVE-2013-1027",
        "CVE-2013-1028",
        "CVE-2013-1030",
        "CVE-2013-1032",
        "CVE-2013-1635",
        "CVE-2013-1643",
        "CVE-2013-1775",
        "CVE-2013-1824",
        "CVE-2013-1899",
        "CVE-2013-1900",
        "CVE-2013-1901",
        "CVE-2013-1902",
        "CVE-2013-1903",
        "CVE-2013-2020",
        "CVE-2013-2021",
        "CVE-2013-2110",
        "CVE-2013-2266"
      );
      script_bugtraq_id(
        53046,
        54658,
        55131,
        55522,
        55852,
        56817,
        57755,
        57778,
        58165,
        58203,
        58224,
        58736,
        58766,
        58876,
        58877,
        58878,
        58879,
        58882,
        59434,
        60118,
        60268,
        60411,
        62370,
        62371,
        62373,
        62375,
        62377
      );
      script_xref(name:"APPLE-SA", value:"APPLE-SA-2013-09-12-1");
    
      script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2013-004)");
      script_summary(english:"Check for the presence of Security Update 2013-004");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote host is missing a Mac OS X update that fixes several
    security issues."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "The remote host is running a version of Mac OS X 10.6 or 10.7 that
    does not have Security Update 2013-004 applied.  This update contains
    several security-related fixes for the following component :
    
      - Apache
      - Bind
      - Certificate Trust Policy
      - ClamAV
      - Installer
      - IPSec
      - Mobile Device Management
      - OpenSSL
      - PHP
      - PostgreSQL
      - QuickTime
      - sudo
    
    Note that successful exploitation of the most serious issues could
    result in arbitrary code execution."
      );
      script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT5880");
      script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html");
      script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/528594/30/0/threaded");
      script_set_attribute(attribute:"solution", value:"Install Security Update 2013-004 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Mac OS X Sudo Password Bypass');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/04/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/09/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "Host/MacOSX/packages/boms");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    os = get_kb_item("Host/MacOSX/Version");
    if (!os) audit(AUDIT_OS_NOT, "Mac OS X");
    if (!ereg(pattern:"Mac OS X 10\.[67]([^0-9]|$)", string:os)) audit(AUDIT_OS_NOT, "Mac OS X 10.6 / 10.7");
    else if ("Mac OS X 10.6" >< os && !ereg(pattern:"Mac OS X 10\.6($|\.[0-8]([^0-9]|$))", string:os)) exit(0, "The remote host uses a version of Mac OS X Snow Leopard later than 10.6.8.");
    else if ("Mac OS X 10.7" >< os && !ereg(pattern:"Mac OS X 10\.7($|\.[0-5]([^0-9]|$))", string:os)) exit(0, "The remote host uses a version of Mac OS X Lion later than 10.7.5.");
    
    
    packages = get_kb_item_or_exit("Host/MacOSX/packages/boms", exit_code:1);
    if (
      egrep(pattern:"^com\.apple\.pkg\.update\.security(\.10\.[6-8]\..+)?\.(2013\.00[4-9]|201[4-9]\.[0-9]+)(\.(snowleopard[0-9.]*|lion))?\.bom", string:packages)
    ) exit(0, "The host has Security Update 2013-004 or later installed and is therefore not affected.");
    else
    {
      set_kb_item(name:"www/0/XSS", value:TRUE);
    
      if (report_verbosity > 0)
      {
        security_boms = egrep(pattern:"^com\.apple\.pkg\.update\.security", string:packages);
    
        report = '\n  Installed security BOMs : ';
        if (security_boms) report += str_replace(find:'\n', replace:'\n                            ', string:security_boms);
        else report += 'n/a';
        report += '\n';
    
        security_hole(port:0, extra:report);
      }
      else security_hole(0);
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_8_5.NASL
    descriptionThe remote host is running a version of Mac OS X 10.8.x that is prior to 10.8.5. The newer version contains multiple security-related fixes for the following components : - Apache - Bind - Certificate Trust Policy - CoreGraphics - ImageIO - Installer - IPSec - Kernel - Mobile Device Management - OpenSSL - PHP - PostgreSQL - Power Management - QuickTime - Screen Lock - sudo This update also addresses an issue in which certain Unicode strings could cause applications to unexpectedly quit. Note that successful exploitation of the most serious issues could result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id69877
    published2013-09-13
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/69877
    titleMac OS X 10.8.x < 10.8.5 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(69877);
      script_version("1.18");
      script_cvs_date("Date: 2018/07/14  1:59:36");
    
      script_cve_id(
        "CVE-2012-0883",
        "CVE-2012-2686",
        "CVE-2012-2687",
        "CVE-2012-3499",
        "CVE-2012-3817",
        "CVE-2012-4244",
        "CVE-2012-4558",
        "CVE-2012-5166",
        "CVE-2012-5688",
        "CVE-2013-0166",
        "CVE-2013-0169",
        "CVE-2013-1025",
        "CVE-2013-1026",
        "CVE-2013-1027",
        "CVE-2013-1028",
        "CVE-2013-1029",
        "CVE-2013-1030",
        "CVE-2013-1031",
        "CVE-2013-1032",
        "CVE-2013-1033",
        "CVE-2013-1635",
        "CVE-2013-1643",
        "CVE-2013-1775",
        "CVE-2013-1824",
        "CVE-2013-1899",
        "CVE-2013-1900",
        "CVE-2013-1901",
        "CVE-2013-1902",
        "CVE-2013-1903",
        "CVE-2013-2110",
        "CVE-2013-2266"
      );
      script_bugtraq_id(
        53046,
        54658,
        55131,
        55522,
        55852,
        56817,
        57755,
        57778,
        58165,
        58203,
        58224,
        58736,
        58766,
        58876,
        58877,
        58878,
        58879,
        58882,
        60268,
        60411,
        62368,
        62369,
        62370,
        62371,
        62373,
        62374,
        62375,
        62377,
        62378,
        62381,
        62382
      );
      script_xref(name:"APPLE-SA", value:"APPLE-SA-2013-09-12-1");
    
      script_name(english:"Mac OS X 10.8.x < 10.8.5 Multiple Vulnerabilities");
      script_summary(english:"Check the version of Mac OS X");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote host is missing a Mac OS X update that fixes several
    security issues."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "The remote host is running a version of Mac OS X 10.8.x that is prior
    to 10.8.5. The newer version contains multiple security-related fixes
    for the following components :
    
      - Apache
      - Bind
      - Certificate Trust Policy
      - CoreGraphics
      - ImageIO
      - Installer
      - IPSec
      - Kernel
      - Mobile Device Management
      - OpenSSL
      - PHP
      - PostgreSQL
      - Power Management
      - QuickTime
      - Screen Lock
      - sudo
    
    This update also addresses an issue in which certain Unicode strings
    could cause applications to unexpectedly quit.
    
    Note that successful exploitation of the most serious issues could
    result in arbitrary code execution."
      );
      script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT5880");
      script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html");
      script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/528594/30/0/threaded");
      script_set_attribute(attribute:"solution", value:"Upgrade to Mac OS X 10.8.5 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Mac OS X Sudo Password Bypass');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/04/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/09/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/13");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    
    os = get_kb_item("Host/MacOSX/Version");
    if (!os)
    {
      os = get_kb_item_or_exit("Host/OS");
      if ("Mac OS X" >!< os) audit(AUDIT_OS_NOT, "Mac OS X");
    
      c = get_kb_item("Host/OS/Confidence");
      if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence.");
    }
    if (!os) audit(AUDIT_OS_NOT, "Mac OS X");
    
    
    if (ereg(pattern:"Mac OS X 10\.8($|\.[0-4]([^0-9]|$))", string:os))
    {
      set_kb_item(name:"www/0/XSS", value:TRUE);
    
      security_hole(0);
    }
    else exit(0, "The host is not affected as it is running "+os+".");
    
  • NASL familyDatabases
    NASL idPOSTGRESQL_20130404.NASL
    descriptionThe version of PostgreSQL installed on the remote host is 8.4.x prior to 8.4.17, 9.0.x prior to 9.0.13, 9.1.x prior to 9.1.9, or 9.2.x prior to 9.2.4. It therefore is potentially affected by multiple vulnerabilities : - Enterprise DB
    last seen2020-06-01
    modified2020-06-02
    plugin id65854
    published2013-04-08
    reporterThis script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/65854
    titlePostgreSQL 8.4 < 8.4.17 / 9.0 < 9.0.13 / 9.1 < 9.1.9 / 9.2 < 9.2.4 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(65854);
      script_version("1.10");
      script_cvs_date("Date: 2018/11/15 20:50:21");
    
      script_cve_id("CVE-2013-1902", "CVE-2013-1903");
      script_bugtraq_id(58877, 58882);
    
      script_name(english:"PostgreSQL 8.4 < 8.4.17 / 9.0 < 9.0.13 / 9.1 < 9.1.9 / 9.2 < 9.2.4 Multiple Vulnerabilities");
      script_summary(english:"Checks version of PostgreSQL");
    
      script_set_attribute(attribute:"synopsis", value:"The remote database server is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of PostgreSQL installed on the remote host is 8.4.x prior
    to 8.4.17, 9.0.x prior to 9.0.13, 9.1.x prior to 9.1.9, or 9.2.x prior
    to 9.2.4.  It therefore is potentially affected by multiple
    vulnerabilities :
    
      - Enterprise DB's installers for Linux and Mac OS X create
        a directory and file in '/tmp' with predictable names.
        (CVE-2013-1902)
    
      - Enterprise DB's installers for Linux and Mac OS X pass
        the database superuser password to a script in an
        insecure fashion. (CVE-2013-1903)");
      script_set_attribute(attribute:"see_also", value:"https://www.postgresql.org/about/news/1456/");
      script_set_attribute(attribute:"see_also", value:"https://www.postgresql.org/docs/8.4/release-8-4-17.html");
      script_set_attribute(attribute:"see_also", value:"https://www.postgresql.org/docs/9.0/release-9-0-13.html");
      script_set_attribute(attribute:"see_also", value:"http://www.postgresql.org/docs/9.1/static/release-9-1-9.html");
      script_set_attribute(attribute:"see_also", value:"http://www.postgresql.org/docs/9.2/static/release-9-2-4.html");
      script_set_attribute(attribute:"solution", value:"Upgrade to PostgreSQL 8.4.17 / 9.0.13 / 9.1.9 / 9.2.4 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/04/04");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/04/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/04/08");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:postgresql:postgresql");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Databases");
    
      script_copyright(english:"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("postgresql_version.nbin", "os_fingerprint.nasl");
      script_require_ports("Services/postgresql", 5432);
    
      exit(0);
    }
    
    include("audit.inc");
    include("backport.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    port = get_service(svc:"postgresql", default:5432, exit_on_fail:TRUE);
    
    os = get_kb_item_or_exit("Host/OS");
    if ('Windows' >< os) audit(AUDIT_HOST_NOT, 'affected');
    
    version = get_kb_item_or_exit('database/'+port+'/postgresql/version');
    source = get_kb_item_or_exit('database/'+port+'/postgresql/source');
    database = get_kb_item('database/'+port+'/postgresql/database_name');
    
    get_backport_banner(banner:source);
    if (backported && report_paranoia < 2) audit(AUDIT_BACKPORT_SERVICE, port, 'PostgreSQL server');
    
    ver = split(version, sep:'.');
    for (i=0; i < max_index(ver); i++)
      ver[i] = int(ver[i]);
    
    if (
      (ver[0] == 8 && ver[1] == 4 && ver[2] < 17) ||
      (ver[0] == 9 && ver[1] == 0 && ver[2] < 13) ||
      (ver[0] == 9 && ver[1] == 1 && ver[2] < 9) ||
      (ver[0] == 9 && ver[1] == 2 && ver[2] < 4)
    )
    {
      if (report_verbosity > 0)
      {
        report = '';
        if(database)
          report += '\n  Database name     : ' + database ;
        report +=
          '\n  Version source    : ' + source +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : 8.4.17 / 9.0.13 / 9.1.9 / 9.2.4\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, 'PostgreSQL', port, version);
    

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 58877 CVE(CAN) ID: CVE-2013-1902 PostgreSQL是一款高级对象-关系型数据库管理系统,支持扩展的SQL标准子集。 PostgreSQL 9.2.4, 9.1.9, 9.0.13之前版本存用可预测的文件名生成了不安全的临时文件,本地攻击者可以进行符号链接攻击。 0 Debian Linux 6.0 x PostgreSQL 9.x 厂商补丁: PostgreSQL ---------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.postgresql.org
idSSV:60718
last seen2017-11-19
modified2013-04-08
published2013-04-08
reporterRoot
titlePostgreSQL 临时文件创建漏洞(CVE-2013-1902)