{"id":1931,"date":"2025-02-14T00:44:08","date_gmt":"2025-02-14T00:44:08","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1931"},"modified":"2025-02-14T00:44:08","modified_gmt":"2025-02-14T00:44:08","slug":"postgresql-patches-sqli-vulnerability-likely-exploited-in-beyondtrust-attacks","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1931","title":{"rendered":"PostgreSQL patches SQLi vulnerability likely exploited in BeyondTrust attacks"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Attackers who exploited a zero-day vulnerability in BeyondTrust Privileged Remote Access and Remote Support products in December likely also exploited a previously unknown SQL injection flaw in PostgreSQL, a widely used open-source object-relational database system. The PostgreSQL issue was fixed on Thursday and users are advised to upgrade their database servers as soon as possible.<\/p>\n

At the end of December, the US Department of the Treasury disclosed that state-sponsored Chinese attackers accessed some of its workstations and obtained unclassified information<\/a>. The Treasury said the access occurred through a cloud-based remote support service operated by BeyondTrust.<\/p>\n

BeyondTrust launched an investigation and confirmed that an API key was compromised and was used to access customer accounts. But the company also identified two zero-day command injection issues in its products \u2014 CVE-2024-12356 and CVE-2024-12686 \u2013 which the US Cybersecurity and Infrastructure Security Agency (CISA) later added to its Known Exploited Vulnerabilities (KVE) catalog<\/a>.<\/p>\n

Researchers from security company Rapid7 analyzed the patches for the CVE-2024-12356 vulnerability in order to understand the flaw and in the process discovered the SQL injection issue in PostgreSQL\u2019s interactive tool psql,<\/a> which the BeyondTrust Remote Support product uses and which is capable of executing system commands. The PostgreSQL SQL injection flaw is now tracked as CVE-2025-1094.<\/p>\n

\u201cIn every scenario Rapid7 researchers tested during analysis of CVE-2024-12356, a successful exploit for CVE-2024-12356 had to include exploitation of CVE-2025-1094 in order to achieve remote code execution,\u201d the researchers wrote in their report<\/a>. \u201cIn other words, based on our analysis, we believe the exploit for BeyondTrust RS CVE-2024-12356 would have relied on exploitation of PostgreSQL CVE-2025-1094.\u201d<\/p>\n

The PostgreSQL Global Development Group, which maintains the PostgreSQL software, advised users to upgrade to the patched version for their respective branch: 17.3, 16.7, 15.11, 14.16 and 13.19.<\/p>\n

Input sanitization bypassed<\/h2>\n

When the Rapid7 researchers looked at the patches, they noticed some sanitization being added to a value called $gskey which was being passed to a script called $ingrediRoot\/app\/dbquote via the echo command.<\/p>\n

\u201cThe change in how the $gskey value is passed to the echo command is a classic argument injection issue,\u201d the researchers wrote. \u201cIn a shell script, when passing an unquoted variable to a command, the shell will pass the contents of the value to the command as individual arguments to the command, as parsed by the shell. If the value is wrapped in double quotes, the shell will pass the entire value as a single argument to the command.\u201d<\/p>\n

But the BeyondTrust advisory said that exploiting this vulnerability \u201ccan allow an unauthenticated remote attacker to execute underlying operating system commands within the context of the site user.\u201d And the argument injection on its own is not achieving that, so the researchers had to keep digging.<\/p>\n

They then looked at dbquote and saw it was a PHP script that took the echoed $gskey value, passed it through the PostgreSQL PHP helper function pg_escape_string, then wrapped the output in single quotes and printed it back as a variable called quoted.<\/p>\n

The purpose of the pg_escape_string function is to \u201cescape\u201d any special characters, such as single quotes, from untrusted input before using it in an SQL command. That\u2019s because unwanted strings can lead to SQL injection \u2013 injecting unintended commands controlled by the attacker.<\/p>\n

The researchers were a bit confused at this point. The use of pg_escape_string should have mitigated any risk of SQL injection. So why was $gskey being sanitized in the first place?<\/p>\n

This question sent them down a much deeper rabbit hole that ended with the finding that PostgreSQL\u2019s interactive terminal psql appears to incorrectly handle input that contains invalid UTF-8 characters. When presented with a string that has a certain combination of invalid UTF-8 bytes, it causes the SQL statement to terminate early and opens the possibility to execute an additional statement from the string that follows the invalid UTF-8 character and a semicolon.<\/p>\n

\u201cWe have managed to achieve a SQL injection via a correctly escaped untrusted input, due to the psql tool\u2019s incorrect handling of invalid UTF-8 characters,\u201d the researchers wrote. \u201cThis vulnerability is now known as CVE-2025-1094.\u201d<\/p>\n

Furthermore, psql has a feature called meta-commands that allows the execution of shell commands via the ! meta-command. This capability transforms the SQL injection into OS command code execution.<\/p>\n

The researchers even found a way to directly exploit CVE-2025-1094 in the BeyondTrust product without having to rely on the CVE-2024-12356 argument injection vulnerability. However, the additional checks put in place for $gskey as part of the patch for CVE-2024-12356, mitigating this more direct attack path as well.<\/p>\n

More specifically, the patch now checks the $gskey value using a regular expression pattern of a-zA-Z0-9 \u2013 lowercase letters from a to z, uppercase letters from A to Z and digits from 0 to 9. Meanwhile, a successful exploit requires adding a raw byte like 0xC0 into the value in order to trigger psql\u2019s incorrect handling of invalid characters, and this fails the newly added check.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Attackers who exploited a zero-day vulnerability in BeyondTrust Privileged Remote Access and Remote Support products in December likely also exploited a previously unknown SQL injection flaw in PostgreSQL, a widely used open-source object-relational database system. The PostgreSQL issue was fixed on Thursday and users are advised to upgrade their database servers as soon as possible. […]<\/p>\n","protected":false},"author":0,"featured_media":1932,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1931","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1931"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1931"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1931\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1932"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1931"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1931"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1931"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}