The short story of this is:<p>- Gain access to the database itself<p>- And the Postgres database should be vulnerable to various remote code execution<p>- Once they're able to execute code remotely, they then download an image which has binary data tacked onto it<p>- They then parse out the executable part of the image using dd<p>- Then they're able to execute and mine away<p>While an interesting read the shortest takeaway is:<p>1. Don't leave your Postgres open to the public internet and<p>2. Ensure to upgrade when security releases come out.<p>If you're unsure if the version your on has security patches available or other reasons to upgrade consider checking out <a href="https://why-upgrade.depesz.com/" rel="nofollow">https://why-upgrade.depesz.com/</a><p>Edit: Looks like the user that gained access had ability to execute pl/c. Which has to run as superuser. You won't find things like pl/c, pl/python generally supported on most Postgres services like Heroku, RDS, Citus because of just this reason. So in this case database access with pl/c was enabled, suspect could have been done equally via other vectors (once database access was achieved).
Creating a C language function is not allowed to regular users by default because "language C" is an untrusted language only superusers can create functions using that. Additionally, regular users don't have the privileges to insert into pg_proc. So unless the attacked application uses a superuser for database access (which is a big security hole to begin with) or uses a superuser account with a weak password and allow superuser access from the outside, I don't see how this could be exploited.
> This attack’s Monero address has done more than 312.5 XMR so far, valued with more than $90,000 to date.<p>Wow. IMO buried lede. That is... very impressive.
Clickbait headline. Was expecting a weird Postgres buffer overflow or something, instead it's a honeypot and the picture is almost completely irrelevant (just a matter of where the attacker hosted their binary).
These attacks are not interesting. They require superuser functionality. Can't believe this wasn't mentioned. If someone has superuser access on your database, it's game over.<p>The real solution is not to go around making DBAs' lives harder by disabling all this stuff. The real solution is to not give attackers on the internet superuser access on your database!!! Why is the database exposed to the public internet to begin with?
This reminds me of SQL Slammer. Remember that? After that mess, there were Slashdot threads just like we have HN threads right now, and the overwhelming consensus among the sysadmins there was, "Database servers should <i>never</i> be visible to the public Internet. They should always be behind a VPN or application server". And then, as is usual for nerd fora, someone would try to come up with a counterexample, "But what if...", and the sysadmins would just cut them off with, "No. Never ever."<p>That hasn't changed, folks. If someone on the Internet can talk to your Postgres database, you are Doing It Wrong.
How exactly can this be exploited?<p>Who has to run the Postgres database?<p>In what kind of way does it has to be accessed to get this happening?<p>Are we talking about web apps that use Postgres on the back end and run arbitrary queries?<p>Are we talking about people who somehow extract the Postgres database username and password and it has admin permissions?<p>I wasn't sure what's happening.
How does the image get executed? I went through the article and in the example the author extracts the executable manually using dd.<p>But how would an unsuspecting user run the executable? Perhaps I missed this, but is there some image viewer or browser that runs the trailing bytes of images?
I am studying towards the RHCSA (Red Hat Certified System Administrator) and right now I am learning about SELinux.<p>I am fairly sure that this could have been prevented by SELinux.
The short story of this is:<p>Cryptocurrencies are run on, by, and for crime. It's immoral to participate in cryptocurrencies. You wouldn't be a member of a club that had people like this owning the club house and everyone on the board, but due to pure greed and wilful ignorance people keep "investing" in this organized crime.<p>Shame on you all.