
A picture got my PostgreSQL database to start mining Monero - WhiteSource1
https://www.imperva.com/blog/2018/03/deep-dive-database-attacks-scarlett-johanssons-picture-used-for-crypto-mining-on-postgre-database/
======
craigkerstiens
The short story of this is:

\- Gain access to the database itself

\- And the Postgres database should be vulnerable to various remote code
execution

\- Once they're able to execute code remotely, they then download an image
which has binary data tacked onto it

\- They then parse out the executable part of the image using dd

\- Then they're able to execute and mine away

While an interesting read the shortest takeaway is:

1\. Don't leave your Postgres open to the public internet and

2\. Ensure to upgrade when security releases come out.

If you're unsure if the version your on has security patches available or
other reasons to upgrade consider checking out [https://why-
upgrade.depesz.com/](https://why-upgrade.depesz.com/)

Edit: Looks like the user that gained access had ability to execute pl/c.
Which has to run as superuser. You won't find things like pl/c, pl/python
generally supported on most Postgres services like Heroku, RDS, Citus because
of just this reason. So in this case database access with pl/c was enabled,
suspect could have been done equally via other vectors (once database access
was achieved).

~~~
PinguTS
Actually, the takeaway is not about updates. Because the problem is actual
intended functionality, that is "misused" for other purposes: indirect
function calls.

So, the takeaway would be to control, which functionality is needed and which
not, then to take action accordingly.

~~~
cryptonector
Well, for one thing, inserting into pg_catalog tables without DDLs should
require privilege and be audited.

Secondly, things like lo_export() should be disabled by default.

~~~
anarazel
> Well, for one thing, inserting into pg_catalog tables without DDLs should
> require privilege and be audited.

It does require privileges.

> Secondly, things like lo_export() should be disabled by default.

It's superuser only.

------
hans_castorp
Creating a C language function is not allowed to regular users by default
because "language C" is an untrusted language only superusers can create
functions using that. Additionally, regular users don't have the privileges to
insert into pg_proc. So unless the attacked application uses a superuser for
database access (which is a big security hole to begin with) or uses a
superuser account with a weak password and allow superuser access from the
outside, I don't see how this could be exploited.

~~~
lnanek2
Seems to be an intentional honeypot. That said, the storing the binary code on
an innocent image host was a nice find that wouldn't have happened had the
attack been blocked immediately. Pretty nice win for that image host to learn
to strip images and they can stop hosting malware...

------
tristanho
> This attack’s Monero address has done more than 312.5 XMR so far, valued
> with more than $90,000 to date.

Wow. IMO buried lede. That is... very impressive.

------
kyle-rb
I'm going to train a model to detect pictures of Scarlett Johansson to prevent
this type of attack in the future.

~~~
totallynotcool
No model needed, detect jpg(image) footers and remove all data after the
actual image.

~~~
Cyberdog
joke

your head

------
jacob019
It's amazing that in 2018 people leave databases publicly exposed.

~~~
xyrouter
I want to know why exposing databases on the Internet publicly is considered a
problem. Is it because a vulnerability found in a database would allow to
exploit the database directly?

I ask this because people expose web-apps on the Internet publicly too and an
SQL injection vulnerability on the web-app would also be equally catastrophic.

I guess exposing web-apps on the Internet is a risk we need to accept because
it has to be available to users of the Internet. But we should not expose
anything else that we don't need to? Is that the reason why exposing databases
publicly is considered best practice.

I would like to know what experienced professionals think about this.

~~~
brightball
A web app has a connection to a database that can be limited to its exact
permission needs, input can be sanitized, database execution can be limited to
exactly what the interface has available. Apps can also use connection pools
to manage limits of the database.

If the database itself is publicly exposed, even if a read only connection
with access to an empty table is provided an attacker could simply max out the
connection pool to kill your application. If a vulnerability was published or
a password with more access was available they can not only access all of your
data but they can corrupt it and/or delete it.

SQL injection has been pretty trivial to stop for a couple of decades now.

------
yread
I thought this was one of those files that are an image and an executable AT
THE SAME TIME. Slightly disappointed that it's just catted together

~~~
TremendousJudge
Totally unrelated, but I'm always reminded of Spore's (the videogame) save
files. Creatures, buildings and such would be saved as .png and you'd get a
nice preview screenshot of the creation, but the same file also contained the
information for the game to actually load the thing. It was pretty cool

~~~
curiousGambler
Any idea how they did it? Stenography or just catting things together like
this example?

~~~
TremendousJudge
I don't think so, the images were pretty low res iirc. I did some googling
though, and the only thing I found was somebody that said "the game reads the
model data out from the file's alpha channel". However, I'd expect the data to
just be appended to the end of the file, since PNG works anyway with that.

~~~
tialaramex
PNG is extensible, so they could totally have defined a PNG "chunk" in the
private namespace and shoved the data in that. They didn't though. They
treated PNG as just a way to store image data and wrote their extra data into
the image, encrypted in an amateurish way.

------
phyzome
Clickbait headline. Was expecting a weird Postgres buffer overflow or
something, instead it's a honeypot and the picture is almost completely
irrelevant (just a matter of where the attacker hosted their binary).

------
tehwebguy
So how can one protect against an image with a payload?

Would the payload still be there if the image was rebuilt with Imagemagick?

~~~
hans_castorp
Don't access your database with a superuser account from your application.

Don't allow superuser connections from outside of your network.

~~~
Cthulhu_
Don't have superuser accounts at all if you can help it.

Run Postgres in a limited user. Something that can't access any file or
execute any command (like wget) it doesn't need, can't do chmod +x. Can't run
a shell. Don't know if postgres needs that.

~~~
anarazel
No, postgres can't work without accessing files or having a working shell
(latter kinda works in some limited configurations).

And I don't think it's a reasonable idea to not have a superuser at all. But
you can have it password less and only accessible from the local machine and a
specific account (eg root).

------
redspectre
These attacks are not interesting. They require superuser functionality. Can't
believe this wasn't mentioned. If someone has superuser access on your
database, it's game over.

The real solution is not to go around making DBAs' lives harder by disabling
all this stuff. The real solution is to not give attackers on the internet
superuser access on your database!!! Why is the database exposed to the public
internet to begin with?

------
jjoe
_Do you see the binary code? It’s right below her left elbow!_

It takes someone with astute observation skills to see this.

~~~
s-p-n
I know! lol

------
Analemma_
This reminds me of SQL Slammer. Remember that? After that mess, there were
Slashdot threads just like we have HN threads right now, and the overwhelming
consensus among the sysadmins there was, "Database servers should _never_ be
visible to the public Internet. They should always be behind a VPN or
application server". And then, as is usual for nerd fora, someone would try to
come up with a counterexample, "But what if...", and the sysadmins would just
cut them off with, "No. Never ever."

That hasn't changed, folks. If someone on the Internet can talk to your
Postgres database, you are Doing It Wrong.

------
EGreg
How exactly can this be exploited?

Who has to run the Postgres database?

In what kind of way does it has to be accessed to get this happening?

Are we talking about web apps that use Postgres on the back end and run
arbitrary queries?

Are we talking about people who somehow extract the Postgres database username
and password and it has admin permissions?

I wasn't sure what's happening.

~~~
woodrowbarlow
at this point, the attacker has already owned the database and found an
exploit that allows arbitrary shell execution on the host. i feel like the
title is a little bit click-baity, because the attacker could have just hosted
their executable payload on any of a thousand shady file hosting sites without
needing to hide it in an image.

~~~
sametmax
The image has 2 purposes:

\- make it easy to host it on a public, reputable, unblocked web site;

\- have a format AV detect less often.

------
prepend
How does the image get executed? I went through the article and in the example
the author extracts the executable manually using dd.

But how would an unsuspecting user run the executable? Perhaps I missed this,
but is there some image viewer or browser that runs the trailing bytes of
images?

~~~
fps
I was hoping for some sort of image or binary processing exploit too, but the
attack just uses a Postgres vulnerability to execute arbitrary shell code.
[0][1] The fact that the executed code was buried in an image seems to just be
a camouflage step for the attacker.

0\. [https://github.com/nixawk/pentest-
wiki/blob/master/2.Vulnera...](https://github.com/nixawk/pentest-
wiki/blob/master/2.Vulnerability-Assessment/Database-
Assessment/postgresql/postgresql_hacking.md) 1\.
[https://www.rapid7.com/db/modules/exploit/linux/postgres/pos...](https://www.rapid7.com/db/modules/exploit/linux/postgres/postgres_payload)

~~~
anarazel
There's no exploit here, superusers can do things, that's it.

------
znpy
I am studying towards the RHCSA (Red Hat Certified System Administrator) and
right now I am learning about SELinux.

I am fairly sure that this could have been prevented by SELinux.

------
samstave
Why would you have your (ANY) db directly publicly accessible?

~~~
merb
* Multi-Cloud - no money for VPN

* AWS RDS + Heroku and not knowing better

* Sharing a database with a customer

There are a lot of reasons. Some are ok, some are not

~~~
samstave
if I were sharing the DB with customer - whitelist IP only - not just leave
the ports open to the world. Thats insane.

The only reason I can see is for honeypot.

------
jyriand
This title makes zero sense.

------
blattimwind
Ironically unavailable due to an "error establishing a database connection".

~~~
anarcat
[https://archive.is/KvFHx](https://archive.is/KvFHx)

------
snitch182
Kind of funny, but klicking the link says the database is down.

"Error establishing a database connection"

~~~
exikyut
[https://archive.is/KvFHx](https://archive.is/KvFHx)

From / credit to:
[https://news.ycombinator.com/item?id=16618030](https://news.ycombinator.com/item?id=16618030)

------
andrewshadura
Postgres, not Postgre.

~~~
teddyh
PostgreSQL, not Postgres.

~~~
andrewshadura
Well, it's both: the original name was Postgres, later extended to include SQL
in it.

~~~
teddyh
It was Postgres for the first ten years since the start in 1985, but it’s been
“PostgreSQL” for more than twenty years now.

------
knorker
The short story of this is:

Cryptocurrencies are run on, by, and for crime. It's immoral to participate in
cryptocurrencies. You wouldn't be a member of a club that had people like this
owning the club house and everyone on the board, but due to pure greed and
wilful ignorance people keep "investing" in this organized crime.

Shame on you all.

~~~
mythrwy
That's just silly.

This was one currency and bad behavior used to obtain it doesn't even reflect
on that.

~~~
knorker
Nothing good has come from cryptocurrencies, and boat loads of bad has, is,
and will continue to come out of it.

Investors ignoring or rationalising all the bad because of their greed is, in
my opinion, disgusting.

