Share
## https://sploitus.com/exploit?id=B49600A6-B130-55AB-BBE9-5FF0474D9BD2
# CVE-2026-2005 โ€” PostgreSQL pgcrypto Heap Overflow Lab

A self-contained Docker lab for practicing exploitation of CVE-2026-2005, a heap buffer overflow in PostgreSQL's `pgcrypto` extension that enables remote code execution without superuser privileges.

**Affected versions:** PostgreSQL โ‰ค 17.7 / 16.11 / 15.15 / 14.20 / 18.1  
**Fixed in:** 18.2, 17.8, 16.12, 15.16, 14.21 (released 2026-02-12)

---

## Setup

**Requirements:** Docker, Docker Compose

```bash
git clone 
cd CVE-2026-2005
docker compose up -d
```

PostgreSQL will be listening on `127.0.0.1:5433`.

---

## Your Starting Point

You have obtained database credentials from an application config file:

| Parameter | Value        |
|-----------|-------------|
| Host      | 127.0.0.1   |
| Port      | 5433        |
| Database  | targetdb    |
| Username  | pentester   |
| Password  | pentester123 |

Connect to confirm access:

```bash
psql -h 127.0.0.1 -p 5433 -U pentester -d targetdb
```

The account has `CREATE` privilege on the `public` schema. It is **not** a superuser.

---

## Objectives

Capture both flags to complete the lab.

**Flag 1 โ€” Database privilege escalation**
```sql
SELECT * FROM flag_db;
-- Only readable after escalating to superuser within the DB session
```

**Flag 2 โ€” Container code execution**
```
/var/lib/postgresql/flag.txt
-- Only readable after executing commands as the postgres OS user inside the container
```

> **Scope note:** `COPY TO PROGRAM` executes inside the Docker container, not on the host.
> The primary real-world impact is full database read access (all tables, all databases).
> Reaching the Docker host requires a separate container escape technique.

---

## Vulnerability Background

The flaw is in `pgp_parse_pubenc_sesskey()` inside `pgcrypto/pgp-pubenc.c`.

When decrypting a public-key encrypted session key packet, the function derives
the session key length as `msglen - 3` from an attacker-controlled RSA/ElGamal
payload and copies it into a fixed 32-byte buffer (`PGP_MAX_KEY`) without
bounds validation. An attacker can write hundreds of bytes beyond the buffer
boundary.

The exploit proceeds in three stages:

1. **Info leak** โ€” overflow exposes adjacent heap metadata, leaking PIE base and heap addresses
2. **Arbitrary write** โ€” corrupt the `dst` struct to overwrite `CurrentUserId` in `.data` with `10` (`BOOTSTRAP_SUPERUSERID`)
3. **Container RCE** โ€” with superuser privileges, `COPY (SELECT '') TO PROGRAM ''` executes OS commands as the `postgres` user **inside the container**. In a real deployment without Docker, this means OS-level access on the database host.

Because the ASLR layout is identical across all connections to the same postmaster process, addresses leaked on one connection remain valid on the next.

---

## Useful References

- NVD: CVE-2026-2005
- Technical writeup: https://www.zeroday.cloud/blog/postgres-xint
- PostgreSQL pgcrypto source: `pgcrypto/pgp-pubenc.c`
- Symbol resolution: `objdump -t $(which postgres) | grep CurrentUserId`

---

## Teardown

```bash
docker compose down -v
```

---

## Legal

This lab is for authorized security research and education only. Run it only on systems you own or have explicit permission to test.